Dify v1.14.2 lands as a focused patch release. It hits four areas that matter for teams running Dify in production: security hardening, workflow reliability, knowledge-base stability, and deployment tuning.
Tenant isolation got tighter. Two endpoints were exposed in ways that could let cross-tenant access slip through: app trace-config endpoints and FilePreview text extraction. Both are now scoped correctly to the requesting tenant. If you run a multi-tenant Dify deployment, this fix is reason enough to upgrade today.
Tool credential permissions are now enforced properly. Before this patch, default builtin tool credential updates were not restricted to workspace admins and owners. That is fixed. The release also cleans up stale tenant tool credentials when you run reset-encrypt-key-pair, which removes a category of credential leak risk during key rotation.
Workflow execution had several quiet failure modes. The most disruptive: tracing broke silently after a human-in-the-loop (HITL) workflow resumed. That is restored. Additional fixes in the same area cover workflow run callback tracking, reduced database roundtrips on message updates, memory fetches that were happening outside Flask context, and sessions for base64 file lookup that were not being closed correctly. Any of these could cause hard-to-diagnose behavior in production workflows.
Model selection and UI controls also saw fixes. Loading behavior when no model is selected, filtering of model presets by supported parameters, and controls in the API extension dialog were all corrected. These are quality-of-life issues but they affect the builder experience when wiring up nodes.
Knowledge-base reliability improved across several edge cases. Hit-testing rendering, empty knowledge creation flows, recommended app category ordering, and null handling in recommended app detail retrieval were all broken in specific conditions and are now fixed.
What to do right now: If you are on v1.14.1 or earlier and running multi-tenant deployments, upgrade to v1.14.2 immediately for the tenant isolation and credential fixes. If you are using HITL workflows, the tracing restoration alone is worth the upgrade. Run reset-encrypt-key-pair after upgrading if you have rotated or plan to rotate encryption keys, so the stale credential cleanup runs against your current state. The patch is backward-compatible with v1.14.x, so there is no migration work to plan around.