プラットフォーム
go
コンポーネント
github.com/dagu-org/dagu
修正版
2.2.5
2.2.5
CVE-2026-31886 describes a critical Path Traversal vulnerability discovered in Dagu, a Go-based workflow orchestration tool. This flaw allows attackers to potentially read sensitive files from the server by manipulating the dagRunId parameter during inline DAG execution. The vulnerability impacts versions of Dagu before 2.2.4, and a patch has been released to address the issue.
The Path Traversal vulnerability in Dagu allows an attacker to bypass intended access controls and read files outside of the intended directory. By crafting a malicious dagRunId parameter, an attacker can specify a path to any file accessible to the Dagu process. This could include sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the server and data exfiltration. The impact is particularly severe given Dagu's role in orchestrating workflows, potentially granting access to critical infrastructure.
CVE-2026-31886 was publicly disclosed on 2026-03-13. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. Given the critical severity and the ease of exploitation once a PoC is developed, monitoring for exploitation is recommended.
Organizations using Dagu to orchestrate workflows, particularly those deploying Dagu in production environments with sensitive data, are at significant risk. Environments with weak input validation or inadequate access controls are especially vulnerable. Teams relying on Dagu for critical automation tasks should prioritize patching.
• go / binary: Use go build to compile the Dagu source code and then analyze the binary for path traversal vulnerabilities using static analysis tools.
• go / server: Monitor Dagu logs for unusual file access attempts or errors related to file paths.
• generic web: Use curl to test the inline DAG execution endpoint with various dagRunId parameters containing path traversal sequences (e.g., ../../../../etc/passwd).
curl 'http://dagu-server/inline-dag?dagRunId=../../../../etc/passwd'disclosure
エクスプロイト状況
EPSS
0.15% (35% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-31886 is to upgrade Dagu to version 2.2.4 or later, which includes a fix for the vulnerability. If immediate upgrading is not possible, consider implementing strict input validation on the dagRunId parameter to prevent path traversal attempts. Web Application Firewalls (WAFs) configured with rules to block suspicious path traversal patterns can also provide a temporary layer of protection. Regularly review Dagu's configuration and access controls to minimize the potential impact of a successful exploit.
Dagu をバージョン 2.2.4 以降にアップデートしてください。このバージョンでは、`dagRunId` 入力を正しく検証することで、パス・トラバーサル (Path Traversal) の脆弱性を修正しています。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-31886 is a critical Path Traversal vulnerability in Dagu (github.com/dagu-org/dagu) allowing attackers to read arbitrary files. It affects versions before 2.2.4.
You are affected if you are running Dagu versions prior to 2.2.4. Check your Dagu version and upgrade immediately if vulnerable.
Upgrade Dagu to version 2.2.4 or later. As a temporary measure, implement strict input validation on the dagRunId parameter.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants close monitoring.
Refer to the Dagu project's official repository and release notes for the advisory and detailed information: https://github.com/dagu-org/dagu
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
go.mod ファイルをアップロードすると、影響の有無を即座にお知らせします。