Dify v1.14.2 is a patch release. It addresses security exposure, workflow execution gaps, and knowledge-base instability that slipped through after v1.14.1. If you run Dify in a multi-tenant setup or depend on human-in-the-loop (HITL) workflows, this update is not optional.
Security comes first. The release strengthens tenant isolation for app trace-config endpoints and FilePreview text extraction. Two separate pull requests closed paths where cross-tenant data could be reached. On top of that, default builtin tool credential updates are now restricted to workspace admins and owners. Stale tenant tool credentials are cleaned up during reset-encrypt-key-pair. These are the kinds of fixes that matter most to teams running Dify as a shared platform.
Workflow reliability got meaningful attention. Tracing was broken after a HITL workflow resumed. That is now restored. Workflow run callback tracking was improved, message-update database roundtrips were reduced, memory fetches outside the Flask context were fixed, and base64 file lookup sessions are now closed correctly. Five separate contributors landed fixes across five pull requests. The cumulative effect is a more stable execution path for long-running or paused workflows.
On the UI side, loading behavior when no model is selected was fixed. Model presets are now filtered by supported parameters, which removes noise from the selection interface. API extension dialog controls were also improved.
Knowledge-base fixes round out the release. Hit-testing rendering was broken and is now fixed. Empty knowledge creation was patched. Recommended app category ordering and null handling in recommended app detail retrieval were corrected. These are not flashy changes, but broken rendering in knowledge hit-testing is the kind of bug that erodes trust in a RAG pipeline quickly.
The release notes also reference agent groundwork and deployment and runtime tuning, signaling that the next feature cycle is already in motion.
What to do today: If you manage a multi-tenant Dify deployment, update to v1.14.2 immediately for the tenant isolation and credential fixes. If you use HITL workflows, verify that tracing resumes correctly after upgrade. And if you ran reset-encrypt-key-pair before this release, check whether stale tool credentials were left behind.