CVE-2026-24124
published 2026-01-22CVE-2026-24124: Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs)…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.71%
49.0th percentile
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d7y.io | dragonfly_v2 | >= 0 < 2.4.1 | 2.4.1 |
| dragonflyoss | dragonfly | < 2.4.1-rc.1 | 2.4.1-rc.1 |
| linuxfoundation | dragonfly | < 2.4.1 | 2.4.1 |
| linuxfoundation | dragonfly | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v1/jobs
- →Monitor for unauthenticated HTTP requests (missing or absent Authorization/JWT headers) targeting the /api/v1/jobs endpoint on Dragonfly Manager API instances. ↗
- →Flag GET, PUT/PATCH, and DELETE HTTP methods to /api/v1/jobs (and sub-paths) originating from sources that do not present a valid JWT Bearer token — these requests should normally be rejected but are processed in vulnerable versions. ↗
- ·The vulnerability is a missing authentication/authorization control in routing configuration, not a code-execution bug. Detection relies on observing unauthenticated access to the jobs API rather than a unique exploit payload. ↗
- ·Exploitation requires network access to the Manager API port. Restricting network exposure of the Manager API is a key mitigation until patching to 2.4.1-rc.1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dragonfly Manager Job API Unauthenticated Access in d7y.io/dragonfly
osv·2026-02-02
CVE-2026-24124 Dragonfly Manager Job API Unauthenticated Access in d7y.io/dragonfly
Dragonfly Manager Job API Unauthenticated Access in d7y.io/dragonfly
Dragonfly Manager Job API Unauthenticated Access in d7y.io/dragonfly
OSV
Dragonfly Manager Job API Unauthenticated Access
osv·2026-01-22
CVE-2026-24124 [HIGH] Dragonfly Manager Job API Unauthenticated Access
Dragonfly Manager Job API Unauthenticated Access
## Summary
Dragonfly Manager's Job REST API endpoints lack authentication, allowing unauthenticated attackers to create, query, modify, and delete jobs, potentially leading to resource exhaustion, information disclosure, and service disruption.
## Affected Products
- **Product**: Dragonfly
- **Component**: Manager (REST API)
- **Affected Versions**: v2.x (based on source code analysis, including v2.4.0)
- **Affected Endpoints**: `/api/v1/jobs`
## Vulnerability Details
### Description
Dragonfly Manager's Job API endpoints (`/api/v1/jobs`) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to perform the following operations:
GHSA
Dragonfly Manager Job API Unauthenticated Access
ghsa·2026-01-22
CVE-2026-24124 [HIGH] CWE-306 Dragonfly Manager Job API Unauthenticated Access
Dragonfly Manager Job API Unauthenticated Access
## Summary
Dragonfly Manager's Job REST API endpoints lack authentication, allowing unauthenticated attackers to create, query, modify, and delete jobs, potentially leading to resource exhaustion, information disclosure, and service disruption.
## Affected Products
- **Product**: Dragonfly
- **Component**: Manager (REST API)
- **Affected Versions**: v2.x (based on source code analysis, including v2.4.0)
- **Affected Endpoints**: `/api/v1/jobs`
## Vulnerability Details
### Description
Dragonfly Manager's Job API endpoints (`/api/v1/jobs`) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to perform the following operations:
No detection rules found.
No public exploits indexed.
2026-01-22
Published