Dify v1.14.2 is a patch release that touches four areas product engineers care about: security boundaries, workflow execution reliability, knowledge-base stability, and agent groundwork. If you run Dify in a multi-tenant setup or depend on human-in-the-loop (HITL) workflows, this update has direct implications for you.
Security tightening comes first. The release strengthens tenant isolation for app trace-config endpoints and FilePreview text extraction. That matters if you host multiple tenants on a shared instance and want to keep trace data from leaking across workspace boundaries. On the credential side, default builtin tool credential updates are now restricted to workspace admins and owners. Stale tenant tool credentials are also cleaned up during reset-encrypt-key-pair operations, closing a surface that could expose leftover secrets.
Workflow execution gets several targeted fixes. The most notable: tracing is restored after a HITL workflow resumes. Before this patch, a workflow that paused for human review would lose its trace on resume, making observability incomplete for any flow with approval steps. The release also improves workflow run callback tracking, reduces message-update database roundtrips, fixes memory fetches that were firing outside the Flask context, and closes base64 file lookup sessions correctly. Each of these is a small fix, but together they reduce the failure surface in long-running or high-throughput workflow deployments.
Model selection and API extension dialogs also get polish. Loading behavior is fixed when no model is selected, model presets are now filtered by supported parameters, and API extension dialog controls are improved. These are UI-level fixes, but they affect the day-to-day experience of configuring nodes in the workflow editor.
Knowledge-base and RAG reliability receives attention too. Knowledge hit-testing rendering is fixed, empty knowledge creation now works correctly, recommended app category ordering is corrected, and null handling in recommended app detail retrieval is patched. For teams building retrieval-augmented applications, these fixes reduce the chance of silent failures during knowledge setup and testing.
What should you do today? If you are running v1.14.1 in a multi-tenant environment, upgrade to v1.14.2 for the tenant isolation and credential fixes. If you use HITL workflows and depend on traces for debugging or compliance, this upgrade restores that observability. The database roundtrip reduction and session-handling fixes are worth having in any production deployment, even if you do not hit the edge cases directly. Review the credential-restriction change if you have non-admin users who previously managed builtin tool credentials, since that permission is now locked to admins and owners.