Plattform
go
Komponente
github.com/dagu-org/dagu
Behoben in
2.0.1
1.30.4-0.20260319093346-7d07fda8f9de
CVE-2026-33344 is a Path Traversal vulnerability discovered in Dagu, a Go-based DAG (Directed Acyclic Graph) management tool. This flaw allows attackers to bypass directory restrictions by crafting malicious file names containing encoded forward slashes, potentially exposing sensitive data. The vulnerability affects versions prior to 1.30.4-0.20260319093346-7d07fda8f9de, and a patch has been released to address the issue.
This Path Traversal vulnerability arises from insufficient validation of the {fileName} parameter in several Dagu API endpoints (GET, DELETE, RENAME, EXECUTE). An attacker can leverage encoded forward slashes (%2F) within this parameter to traverse outside the designated DAGs directory. Successful exploitation could grant unauthorized access to arbitrary files on the server's file system, potentially exposing sensitive configuration data, credentials, or other critical information. The impact is amplified if the server is used to manage sensitive data or control critical infrastructure, as an attacker could gain a foothold for further malicious activities, including code execution or data exfiltration. While no direct exploitation has been publicly reported, the ease of exploitation and potential impact make this a significant security concern.
CVE-2026-33344 was published on 2026-03-19. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of the publication date, but the vulnerability's nature makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
Organizations utilizing Dagu for DAG management, particularly those with publicly exposed API endpoints, are at risk. Environments with legacy Dagu configurations or those lacking robust network segmentation are especially vulnerable. Shared hosting environments where multiple users share a Dagu instance also face increased risk.
• linux / server:
journalctl -u dagu -g "locateDAG" | grep -i '%2F'• generic web:
curl -I 'http://your-dagu-instance/api/dag/your-dag-name/%2e%2e%2f/etc/passwd' | grep 'HTTP/1.1 403' # Expect 403 Forbidden after patchingdisclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33344 is to immediately upgrade Dagu to version 1.30.4-0.20260319093346-7d07fda8f9de or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the vulnerable API endpoints or employing a Web Application Firewall (WAF) to filter requests containing encoded forward slashes in the {fileName} parameter. Carefully review and harden the Dagu configuration to minimize the potential impact of a successful attack. After upgrading, confirm the fix by attempting to access files outside the DAGs directory using crafted requests with encoded forward slashes; access should be denied.
Actualice Dagu a la versión 2.3.1 o superior. Esta versión corrige la vulnerabilidad de path traversal al validar correctamente los nombres de los DAG en todos los endpoints de la API.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33344 is a Path Traversal vulnerability affecting Dagu versions before 1.30.4-0.20260319093346-7d07fda8f9de, allowing attackers to access files outside the intended directory.
If you are running Dagu versions prior to 1.30.4-0.20260319093346-7d07fda8f9de, you are potentially affected by this vulnerability.
Upgrade Dagu to version 1.30.4-0.20260319093346-7d07fda8f9de or later. Consider WAF rules as a temporary mitigation.
There are currently no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the Dagu project's official repository and release notes for the advisory and patch details.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.