CVE-2026-33344
published 2026-03-24CVE-2026-33344: Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to…
PriorityP349high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.47%
37.1th percentile
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dagu | dagu | >= 2.0.0 < 2.3.1 | 2.3.1 |
| github.com | dagu-org_dagu | >= 1.30.4-0.20260221021317-e2ed589105d7 < 1.30.4-0.20260319093346-7d07fda8f9de | 1.30.4-0.20260319093346-7d07fda8f9de |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
ghsa7.1HIGH
osv7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG in github.com/dagu-org/dagu
osv·2026-03-23·CVSS 7.1
CVE-2026-33344 [HIGH] Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG in github.com/dagu-org/dagu
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG in github.com/dagu-org/dagu
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG in github.com/dagu-org/dagu
GHSA
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
ghsa·2026-03-19·CVSS 7.1
CVE-2026-33344 [HIGH] CWE-22 Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
The fix for CVE-2026-27598 (commit e2ed589, PR #1691) added `ValidateDAGName` to `CreateNewDAG` and rewrote `generateFilePath` to use `filepath.Base`. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the `{fileName}` URL path parameter to `locateDAG` without calling `ValidateDAGName`. `%2F`-encoded forward slashes in the `{fileName}` segment traverse outside the DAGs directory.
### Vulnerable code
`internal/persis/filedag/store.go`, lines 508-513:
```go
func (store *Storage) locateDAG(nameOrPath string) (string, error) {
if strings.Contains(nameOrPath, string(filepath.Separator)) {
foundPath, err := findDAGFile(nameOrPath)
if err == nil {
OSV
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
osv·2026-03-19·CVSS 7.1
CVE-2026-33344 [HIGH] Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
The fix for CVE-2026-27598 (commit e2ed589, PR #1691) added `ValidateDAGName` to `CreateNewDAG` and rewrote `generateFilePath` to use `filepath.Base`. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the `{fileName}` URL path parameter to `locateDAG` without calling `ValidateDAGName`. `%2F`-encoded forward slashes in the `{fileName}` segment traverse outside the DAGs directory.
### Vulnerable code
`internal/persis/filedag/store.go`, lines 508-513:
```go
func (store *Storage) locateDAG(nameOrPath string) (string, error) {
if strings.Contains(nameOrPath, string(filepath.Separator)) {
foundPath, err := findDAGFile(nameOrPath)
if err == nil {
No detection rules found.
No public exploits indexed.
2026-03-24
Published