Plattform
go
Komponente
github.com/dagu-org/dagu
Behoben in
2.2.5
2.2.5
CVE-2026-31886 describes a critical Path Traversal vulnerability discovered in Dagu, a Go-based workflow orchestration tool. This flaw allows attackers to potentially read sensitive files from the server by manipulating the dagRunId parameter during inline DAG execution. The vulnerability impacts versions of Dagu before 2.2.4, and a patch has been released to address the issue.
The Path Traversal vulnerability in Dagu allows an attacker to bypass intended access controls and read files outside of the intended directory. By crafting a malicious dagRunId parameter, an attacker can specify a path to any file accessible to the Dagu process. This could include sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the server and data exfiltration. The impact is particularly severe given Dagu's role in orchestrating workflows, potentially granting access to critical infrastructure.
CVE-2026-31886 was publicly disclosed on 2026-03-13. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. Given the critical severity and the ease of exploitation once a PoC is developed, monitoring for exploitation is recommended.
Organizations using Dagu to orchestrate workflows, particularly those deploying Dagu in production environments with sensitive data, are at significant risk. Environments with weak input validation or inadequate access controls are especially vulnerable. Teams relying on Dagu for critical automation tasks should prioritize patching.
• go / binary: Use go build to compile the Dagu source code and then analyze the binary for path traversal vulnerabilities using static analysis tools.
• go / server: Monitor Dagu logs for unusual file access attempts or errors related to file paths.
• generic web: Use curl to test the inline DAG execution endpoint with various dagRunId parameters containing path traversal sequences (e.g., ../../../../etc/passwd).
curl 'http://dagu-server/inline-dag?dagRunId=../../../../etc/passwd'disclosure
Exploit-Status
EPSS
0.15% (35% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-31886 is to upgrade Dagu to version 2.2.4 or later, which includes a fix for the vulnerability. If immediate upgrading is not possible, consider implementing strict input validation on the dagRunId parameter to prevent path traversal attempts. Web Application Firewalls (WAFs) configured with rules to block suspicious path traversal patterns can also provide a temporary layer of protection. Regularly review Dagu's configuration and access controls to minimize the potential impact of a successful exploit.
Actualice Dagu a la versión 2.2.4 o posterior. Esta versión corrige la vulnerabilidad de path traversal al validar correctamente la entrada `dagRunId`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-31886 is a critical Path Traversal vulnerability in Dagu (github.com/dagu-org/dagu) allowing attackers to read arbitrary files. It affects versions before 2.2.4.
You are affected if you are running Dagu versions prior to 2.2.4. Check your Dagu version and upgrade immediately if vulnerable.
Upgrade Dagu to version 2.2.4 or later. As a temporary measure, implement strict input validation on the dagRunId parameter.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants close monitoring.
Refer to the Dagu project's official repository and release notes for the advisory and detailed information: https://github.com/dagu-org/dagu
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.