Description

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.

INFO

Published Date :

2026-03-13T19:28:25.615Z

Last Modified :

2026-03-13T19:43:56.406Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31882 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31882.

URL Resource
https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775 cve-icon cve-icon
https://github.com/dagu-org/dagu/pull/1752 cve-icon cve-icon
https://github.com/dagu-org/dagu/releases/tag/v2.2.4 cve-icon cve-icon
https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact