Platform
go
Component
github.com/dagu-org/dagu
Fixed in
2.0.1
1.30.4-0.20260319093346-7d07fda8f9de
CVE-2026-33344 is a Path Traversal vulnerability discovered in Dagu, a Go-based DAG (Directed Acyclic Graph) management tool. This flaw allows attackers to bypass directory restrictions by crafting malicious file names containing encoded forward slashes, potentially exposing sensitive data. The vulnerability affects versions prior to 1.30.4-0.20260319093346-7d07fda8f9de, and a patch has been released to address the issue.
An attacker exploiting CVE-2026-33344 can leverage encoded forward slashes (%2F) within the {fileName} URL parameter to traverse outside the designated DAGs directory. This bypasses the intended validation checks, allowing access to arbitrary files on the server's file system. The potential impact includes unauthorized access to configuration files, source code, or other sensitive data stored on the system. Successful exploitation could lead to data breaches, system compromise, and potential lateral movement within the network if the Dagu instance has access to other resources. The blast radius depends on the permissions of the Dagu process and the files accessible from its location.
CVE-2026-33344 was published on 2026-03-19. The vulnerability's exploitation context is currently unknown, and no public proof-of-concept (PoC) code has been released. It is not listed on the CISA KEV catalog at the time of writing. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33344 is to immediately upgrade Dagu to version 1.30.4-0.20260319093346-7d07fda8f9de or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing encoded forward slashes in the {fileName} parameter. Additionally, restrict access to the Dagu API endpoints to trusted networks and users. Regularly review and audit Dagu's configuration to ensure it adheres to security best practices. After upgrade, confirm the fix by attempting to access files outside the DAGs directory using a crafted URL with encoded forward slashes; access should be denied.
Update Dagu to version 2.3.1 or higher. This version fixes the path traversal vulnerability by correctly validating DAG names in all API endpoints.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33344 is a Path Traversal vulnerability affecting Dagu versions before 1.30.4-0.20260319093346-7d07fda8f9de, allowing attackers to access files outside the intended directory.
If you are running Dagu versions prior to 1.30.4-0.20260319093346-7d07fda8f9de, you are potentially affected by this vulnerability.
Upgrade Dagu to version 1.30.4-0.20260319093346-7d07fda8f9de or later. Consider WAF rules as a temporary mitigation.
There are currently no confirmed reports of active exploitation, but it's crucial to apply the patch promptly.
Refer to the Dagu project's official repository and release notes for the advisory and patch details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.