Platform
go
Component
github.com/dagu-org/dagu
Fixed in
2.2.5
2.2.5
CVE-2026-31886 describes a critical Path Traversal vulnerability discovered in Dagu, a Go-based workflow orchestration tool. This flaw allows attackers to potentially read sensitive files from the server by manipulating the dagRunId parameter during inline DAG execution. The vulnerability impacts versions of Dagu before 2.2.4, and a patch has been released to address the issue.
The Path Traversal vulnerability in Dagu allows an attacker to bypass intended access controls and read files outside of the intended directory. By crafting a malicious dagRunId parameter, an attacker can specify a path to any file accessible to the Dagu process. This could include sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the server and data exfiltration. The impact is particularly severe given Dagu's role in orchestrating workflows, potentially granting access to critical infrastructure.
CVE-2026-31886 was publicly disclosed on 2026-03-13. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. Given the critical severity and the ease of exploitation once a PoC is developed, monitoring for exploitation is recommended.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
The primary mitigation for CVE-2026-31886 is to upgrade Dagu to version 2.2.4 or later, which includes a fix for the vulnerability. If immediate upgrading is not possible, consider implementing strict input validation on the dagRunId parameter to prevent path traversal attempts. Web Application Firewalls (WAFs) configured with rules to block suspicious path traversal patterns can also provide a temporary layer of protection. Regularly review Dagu's configuration and access controls to minimize the potential impact of a successful exploit.
Update Dagu to version 2.2.4 or later. This version fixes the path traversal vulnerability by correctly validating the `dagRunId` input.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31886 is a critical Path Traversal vulnerability in Dagu (github.com/dagu-org/dagu) allowing attackers to read arbitrary files. It affects versions before 2.2.4.
You are affected if you are running Dagu versions prior to 2.2.4. Check your Dagu version and upgrade immediately if vulnerable.
Upgrade Dagu to version 2.2.4 or later. As a temporary measure, implement strict input validation on the dagRunId parameter.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants close monitoring.
Refer to the Dagu project's official repository and release notes for the advisory and detailed information: https://github.com/dagu-org/dagu
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.