v3.9.1

LTS

Released Apr 13, 2026·Supported until Dec 31, 2026·Community 1.13.3·Community commit 3bd6f1a·Enterprise 0.16.1·Helm chart·Docker Compose

Breaking

3 to verify

Security

Issues

Changes

2F · 0B

Downtime

Zero

Upgrade Impact

2 features · 0 fixes

Breaking:Removed integrations require image review before upgrade

Removed AnalyticDB, Tablestore, ClickZetta, and Wandb WeaveVector store integrations (AnalyticDB, Tablestore, ClickZetta) and the tracing provider integration (Wandb Weave) are not included in the standard Enterprise dify-api image for this LTS release. If your deployment depends on any of them, use docker.io/langgenius/dify-ee-api-insecure:3.9.1 instead and only after reviewing and accepting the associated security risks (See CVE report below).

OpenSearch as vector storage: ImportErrorIf OpenSearch is used as vector storage, the API may raise an ImportError. Use the patched image docker.io/langgenius/dify-ee-api:3.9.1-hotfix-20260422 for the Enterprise API service.

Hotfix (2026-04-23): workflow run instantiation performanceThe image docker.io/langgenius/dify-ee-api:3.9.1-hotfix-20260423-2 improves workflow run instantiation performance by caching credentials.

What Changed

New Features

Database Configuration: Per-Service External Database CredentialsEnterprise deployments can now configure separate usernames and passwords for individual external databases instead of sharing one credential set across all services. This makes it easier to align with stricter database access policies and service-level credential isolation.

Azure Blob Storage: Managed Identity SupportAzure Blob Storage integrations can now authenticate with Azure Managed Identity in OSS-backed deployments. The Helm chart also adds the pod labels and service account configuration needed for Enterprise Audit and Plugin Daemon workloads to use managed identity without storing static credentials.

Upgrade Guide

Back up PostgreSQL database and Redis data.
Confirm Kubernetes cluster has sufficient resources for rolling update.

Example Helm values for Azure managed identity:

global:
  podLabels:
    azure.workload.identity/use: "true"

plugin_daemon:
  # azure managed service account
  serviceAccountName: "plugin-daemon-mi"

enterpriseAudit:
  serviceAccountName: "enterprise-audit-mi"

azureBlob:
  useManagedIdentity: true

Example per-database credential environment variables:

# If not set, will fallback to externalDatabase.username, externalDatabase.password
databaseCredentials:
  dify:
      user: ""
      password: ""
  enterprise:
      user: ""
      password: ""
  audit:
      user: ""
      password: ""
  plugin_daemon:
      user: ""
      password: ""

Zero-downtime rolling upgrade supported

Upgrade Command

# Back up database first, then:

$ helm upgrade -i dify -f values.yaml dify-ee/dify --version 3.9.1

Rollback

$ helm rollback dify 0