Dify v1.14.2 is a patch release, but do not let that label fool you. It touches security boundaries, workflow execution reliability, and knowledge-base stability in ways that matter if you run multi-tenant deployments or depend on human-in-the-loop (HITL) flows.
Security first. The two most important changes tighten tenant isolation. App trace-config endpoints and FilePreview text extraction are now scoped to the correct tenant, closing a gap where one tenant could potentially reach another's data. Separately, default builtin tool credential updates are now restricted to workspace admins and owners. If you previously assumed any authenticated user could modify tool credentials, that assumption no longer holds. Stale tenant tool credentials are also cleaned up during reset-encrypt-key-pair runs, which matters if you rotate encryption keys as part of your security posture.
Workflow execution fixes. Five separate patches land here. Tracing was broken after a HITL workflow resumed; that is now restored. Workflow run callback tracking is improved. Message-update database roundtrips are reduced. Memory fetches that were firing outside the Flask context are corrected. Base64 file lookup sessions are closed properly. Together, these fixes address the kind of subtle runtime failures that are hard to reproduce in development but show up under production load.
Model selection and UI polish. The release fixes loading behavior when no model is selected, filters model presets by supported parameters only, and improves API extension dialog controls. Small fixes, but they remove friction during workflow authoring.
Knowledge-base stability. Hit-testing rendering, empty knowledge creation, recommended app category ordering, and null handling in recommended app detail retrieval are all patched. These are the sorts of bugs that surface when you push edge cases in your data pipeline.
What to do today. If you operate a multi-tenant Dify deployment, upgrade to v1.14.2 immediately. The tenant-isolation and tool-credential changes are not optional hardening; they are corrections to access control behavior. After upgrading, run reset-encrypt-key-pair if you have pending key rotation work, since the stale credential cleanup is now bundled into that process. If your team uses HITL workflows in production, verify that tracing resumes correctly after a human approval step; the fix is in, but confirming it in your own environment is worth the ten minutes.