FKIE_CVE-2026-31886

Vulnerability from fkie_nvd - Published: 2026-03-13 19:54 - Updated: 2026-03-18 15:24
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Summary
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.
References
security-advisories@github.comhttps://github.com/dagu-org/dagu/commit/12c2e5395bd9331d49ca103593edfd0db39c4f38Patch
security-advisories@github.comhttps://github.com/dagu-org/dagu/security/advisories/GHSA-m4q3-457p-hh2xExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
dagu dagu *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dagu:dagu:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "681DF7E8-8500-4F63-8E04-FC8AB4CAFD3A",
              "versionEndExcluding": "2.2.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go\u0027s filepath.Join resolves .. segments lexically, so a caller can supply a value such as \"..\" to redirect the computed directory outside the intended /tmp/\u003cname\u003e/\u003cid\u003e path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to \"..\", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll(\"/tmp\") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4."
    },
    {
      "lang": "es",
      "value": "Dagu es un motor de flujo de trabajo con una interfaz de usuario web integrada. Antes de la versi\u00f3n 2.2.4, el campo de solicitud dagRunId aceptado por los puntos finales de ejecuci\u00f3n de DAG en l\u00ednea se pasa directamente a filepath.Join para construir una ruta de directorio temporal sin ninguna validaci\u00f3n de formato. filepath.Join de Go resuelve los segmentos \u0027..\u0027 l\u00e9xicamente, por lo que un llamador puede proporcionar un valor como \u0027..\u0027 para redirigir el directorio calculado fuera de la ruta prevista /tmp//. Una funci\u00f3n de limpieza diferida que llama a os.RemoveAll en ese directorio se ejecuta incondicionalmente cuando el gestor HTTP regresa, eliminando cualquier directorio al que se resolvi\u00f3 el recorrido. Con dagRunId establecido en \u0027..\u0027, el directorio resuelto es el directorio temporal del sistema (/tmp en Linux). En despliegues sin privilegios de root, os.RemoveAll(\u0027/tmp\u0027) elimina todos los archivos en /tmp propiedad del usuario del proceso dagu, interrumpiendo cada ejecuci\u00f3n concurrente de dagu que tiene archivos temporales activos. En despliegues con privilegios de root o Docker, la llamada elimina todo el contenido de /tmp, causando una denegaci\u00f3n de servicio a nivel de sistema. Esta vulnerabilidad se corrige en la versi\u00f3n 2.2.4."
    }
  ],
  "id": "CVE-2026-31886",
  "lastModified": "2026-03-18T15:24:15.453",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-13T19:54:37.690",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/dagu-org/dagu/commit/12c2e5395bd9331d49ca103593edfd0db39c4f38"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-m4q3-457p-hh2x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.