v3.9.3
LTSRecommended
Released May 8, 2026·Supported until Dec 31, 2026·Community 1.13.3·Community commit f3d4605·Enterprise 0.16.x·Helm chart·Docker Compose
Breaking
3 to verify
Security
Issues
Changes
0F · 6B
Downtime
Zero
Upgrade Impact
Breaking:The default Enterprise API image no longer ships Weights & Biases tracing or ClickZetta vector DB; use the `-insecure` API image if you still need them.
API image: W&B tracing and ClickZetta vector DB removed from default buildFor a smaller attack surface, Weights & Biases (`wandb`) tracing and the ClickZetta vector database integration are no longer included in the default API image. If you still need those integrations, use the
docker.io/langgenius/dify-ee-api-insecure:3.9.3 API image tag, which retains the previous behavior at the cost of additional known vulnerabilities.Hotfix: API image 3.9.3-hotfix-20260512A hotfix API image
docker.io/langgenius/dify-ee-api:3.9.3-hotfix-20260512 is available. It allows skipping runtime credential validation by setting ENTERPRISE_DISABLE_RUNTIME_CREDENTIAL_CHECK=true, and resolves #35910.Hotfix: API image 3.9.3-hotfix-20260515A hotfix API image
docker.io/langgenius/dify-ee-api:3.9.3-hotfix-20260515 is available. It improves TTFE (Time To First Event) by improving cache efficiency and reducing database roundtrips.What Changed
6Security
Security: Vulnerability FixesFixed several vulnerabilities in previous version. Please see full CVE report for details.
Bug Fixes
Multi-Domain: Image URL Generation InconsistencyFixed image URL generation in multi-domain deployments where attachments.source_url incorrectly used the console domain instead of FILES_URL, causing 404 errors when loading images.
Credentials: Multiple Default Credentials AllowedFixed a bug where workspace members could each set their own default credential for the same tool, resulting in multiple default credentials. The system now enforces a single default credential per provider per workspace (tenant-scoped).
Helm: YAML Indentation Error Preventing DeploymentFixed a YAML indentation error in templates/plugin/plugin-manager.yaml that caused Helm deployment to fail with a parse error.
Docker Compose: Missing Queue Configuration After UpgradeFixed an issue where upgrading Docker Compose caused workflow and chatflow previews to hang indefinitely due to missing workflow_based_app_execution in CELERY_QUEUES configuration.
OTLP: Endpoint Scheme Validation Blocking Alibaba Cloud ARMSFixed OTLP endpoint validation that rejected URLs with schemes (http://, https://), preventing integration with Alibaba Cloud ARMS and other observability platforms. The endpoint configuration now accepts full URLs and derives TLS security from the scheme.
Upgrade Guide
Pre-Upgrade Checklist
Back up PostgreSQL database and Redis data
Confirm Kubernetes cluster has sufficient resources for rolling update
Docker Compose users: Verify CELERY_QUEUES in .env includes workflow_based_app_execution to prevent workflow/chatflow preview hangs
Zero-downtime rolling upgrade supported
Upgrade Command
# Back up database first, then:
$ helm upgrade -i dify -f values.yaml dify-ee/dify --version 3.9.3
Rollback
$ helm rollback dify 0
Security & CVE
Security vulnerabilities found in this release.2 Critical · 16 High CVE across all container images
Image
medium
20
9
1
3
5
0
2
2
2
2
6
4
6
9
6
4
4
0
low
14
2
9
1
1
0
1
1
1
1
2
1
4
5
2
1
2
1
Status
FAIL
FAIL
PASS
PASS
FAIL
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
PASS
FAIL
PASS
PASS
PASS
ScannerDocker Scout
Scanned
May 08, 2026
Data Source
Docker
Benchmark Report
TTFE – Time To First Event (ms)
Connections
Empty Workflow QPS
License Compliance
All dependencies compliant - no copyleft issues detected
Apache-2.0MITBSD-3-ClauseMPL-2.0BSD-2-ClauseISCCC0-1.0