平台
go
组件
github.com/dagu-org/dagu
修复版本
2.2.5
2.2.5
CVE-2026-31886 describes a critical Path Traversal vulnerability discovered in Dagu, a Go-based workflow orchestration tool. This flaw allows attackers to potentially read sensitive files from the server by manipulating the dagRunId parameter during inline DAG execution. The vulnerability impacts versions of Dagu before 2.2.4, and a patch has been released to address the issue.
The Path Traversal vulnerability in Dagu allows an attacker to bypass intended access controls and read files outside of the intended directory. By crafting a malicious dagRunId parameter, an attacker can specify a path to any file accessible to the Dagu process. This could include sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the server and data exfiltration. The impact is particularly severe given Dagu's role in orchestrating workflows, potentially granting access to critical infrastructure.
CVE-2026-31886 was publicly disclosed on 2026-03-13. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. Given the critical severity and the ease of exploitation once a PoC is developed, monitoring for exploitation is recommended.
Organizations using Dagu to orchestrate workflows, particularly those deploying Dagu in production environments with sensitive data, are at significant risk. Environments with weak input validation or inadequate access controls are especially vulnerable. Teams relying on Dagu for critical automation tasks should prioritize patching.
• go / binary: Use go build to compile the Dagu source code and then analyze the binary for path traversal vulnerabilities using static analysis tools.
• go / server: Monitor Dagu logs for unusual file access attempts or errors related to file paths.
• generic web: Use curl to test the inline DAG execution endpoint with various dagRunId parameters containing path traversal sequences (e.g., ../../../../etc/passwd).
curl 'http://dagu-server/inline-dag?dagRunId=../../../../etc/passwd'disclosure
漏洞利用状态
EPSS
0.15% (35% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-31886 is to upgrade Dagu to version 2.2.4 or later, which includes a fix for the vulnerability. If immediate upgrading is not possible, consider implementing strict input validation on the dagRunId parameter to prevent path traversal attempts. Web Application Firewalls (WAFs) configured with rules to block suspicious path traversal patterns can also provide a temporary layer of protection. Regularly review Dagu's configuration and access controls to minimize the potential impact of a successful exploit.
将 Dagu 更新到 2.2.4 或更高版本。此版本通过正确验证 `dagRunId` 输入来修复路径遍历漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-31886 is a critical Path Traversal vulnerability in Dagu (github.com/dagu-org/dagu) allowing attackers to read arbitrary files. It affects versions before 2.2.4.
You are affected if you are running Dagu versions prior to 2.2.4. Check your Dagu version and upgrade immediately if vulnerable.
Upgrade Dagu to version 2.2.4 or later. As a temporary measure, implement strict input validation on the dagRunId parameter.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants close monitoring.
Refer to the Dagu project's official repository and release notes for the advisory and detailed information: https://github.com/dagu-org/dagu
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 go.mod 文件,立即知道是否受影响。