cbcvebase.
CVE-2026-31882
published 2026-03-13

CVE-2026-31882: Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic)…

PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.78%
51.2th percentile
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.

Affected

3 ranges
VendorProductVersion rangeFixed in
dagu-orgdagu< 2.2.42.2.4
dagudagu< 2.2.42.2.4
dagudagu>= 0 < 2.2.42.2.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.