CVE-2026-31886
published 2026-03-13CVE-2026-31886: Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is…
PriorityP348high7.6CVSS 3.1
AVNACLPRLUINSUCLILAH
EPSS
0.42%
33.8th percentile
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp// path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dagu-org | dagu | < 2.2.4 | 2.2.4 |
| dagu | dagu | < 2.2.4 | 2.2.4 |
| github.com | dagu-org_dagu | 0 – 2.2.4 | — |
CVSS provenance
nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
ghsa7.1HIGH
osv7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution in github.com/dagu-org/dagu
osv·2026-03-13
CVE-2026-31886 Dagu: Path Traversal via `dagRunId` in Inline DAG Execution in github.com/dagu-org/dagu
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution in github.com/dagu-org/dagu
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution in github.com/dagu-org/dagu
GHSA
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
ghsa·2026-03-13·CVSS 7.1
CVE-2026-31886 [HIGH] CWE-22 Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
## 1. Vulnerability Summary
The `dagRunId` request field accepted by the inline DAG execution endpoints is passed directly into `filepath.Join` to construct a temporary directory path without any format validation. Go's `filepath.Join` resolves `..` segments lexically, so a caller can supply a value such as `".."` to redirect the computed directory outside the intended `/tmp//` path. A deferred cleanup function that calls `os.RemoveAll` on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to.
With `dagRunId` set to `".."`, the resolved directory is the system temporary directory (`/tmp` on Linux). On non-root deployments, `os.RemoveAll("/tmp")` removes all
OSV
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
osv·2026-03-13·CVSS 7.1
CVE-2026-31886 [HIGH] Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
Dagu: Path Traversal via `dagRunId` in Inline DAG Execution
## 1. Vulnerability Summary
The `dagRunId` request field accepted by the inline DAG execution endpoints is passed directly into `filepath.Join` to construct a temporary directory path without any format validation. Go's `filepath.Join` resolves `..` segments lexically, so a caller can supply a value such as `".."` to redirect the computed directory outside the intended `/tmp//` path. A deferred cleanup function that calls `os.RemoveAll` on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to.
With `dagRunId` set to `".."`, the resolved directory is the system temporary directory (`/tmp` on Linux). On non-root deployments, `os.RemoveAll("/tmp")` removes all
No detection rules found.
No public exploits indexed.
2026-03-13
Published