CVE-2026-31882 in dagu
Summary
by MITRE • 03/13/2026
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-31882 affects Dagu workflow engine versions prior to 2.2.4, specifically exposing a critical authentication bypass issue within its Server-Sent Events (SSE) implementation. This flaw occurs when the system is configured with HTTP Basic authentication through the DAGU_AUTH_MODE=basic environment variable, creating a significant security gap that undermines the intended access controls for real-time workflow monitoring and management. The vulnerability stems from a fundamental design flaw in the authentication handling mechanism for streaming endpoints, where the buildStreamAuthOptions() function fails to properly enforce authentication requirements despite the presence of basic authentication configuration.
The technical implementation of this vulnerability lies in how the authentication options are constructed for SSE endpoints. When basic authentication is enabled, the buildStreamAuthOptions() function returns an auth.Options struct that correctly sets BasicAuthEnabled to true but leaves AuthRequired as its default zero value of false. This default false value creates an implicit bypass mechanism that allows unauthenticated access to sensitive streaming endpoints. The authentication middleware located at internal/service/frontend/auth/middleware.go specifically permits requests to proceed without authentication when AuthRequired is false, effectively negating the security measures that should protect the workflow engine's real-time data streams. This represents a classic case of improper default configuration leading to security vulnerabilities, classified under CWE-284 Access Control Issues where insufficient access control allows unauthorized users to access protected resources.
The operational impact of this vulnerability is severe and multifaceted, as it exposes critical workflow information to unauthenticated attackers who can gain access to real-time DAG execution data, workflow configurations, execution logs, and queue status information. Attackers can monitor ongoing workflow executions, potentially gaining insights into business processes, data flows, and system operations that could be exploited for further attacks or reconnaissance. The exposure of execution logs and queue status provides attackers with detailed information about system performance, resource utilization, and workflow dependencies that could be leveraged for privilege escalation or targeted attacks. This vulnerability directly impacts the confidentiality and integrity of the workflow engine's operational data, as it allows unauthorized access to information that should remain protected within a secure authentication framework.
The attack surface for this vulnerability extends beyond simple information disclosure to include potential operational disruption and data manipulation capabilities. An attacker who gains access to the streaming endpoints could potentially interfere with workflow execution by monitoring progress and timing attacks, or could use the exposed information to plan more sophisticated attacks against the broader system. The vulnerability aligns with ATT&CK technique T1078 Valid Accounts, as it exploits the legitimate authentication configuration to gain access to protected resources through a misconfigured authorization mechanism. Organizations using Dagu with basic authentication are at risk of having their workflow orchestration data exposed to unauthorized parties, potentially leading to compliance violations, intellectual property exposure, and operational security breaches that could significantly impact business operations and regulatory compliance requirements.
The fix implemented in version 2.2.4 addresses the root cause by ensuring that when HTTP Basic authentication is enabled, all streaming endpoints properly require authentication. This requires explicit configuration of AuthRequired to true when basic authentication is active, preventing the default false value from creating an authentication bypass. Organizations should immediately upgrade to version 2.2.4 or later to remediate this vulnerability, while also implementing additional monitoring for unauthorized access attempts to streaming endpoints. Security teams should verify that all authentication configurations are properly enforced across all endpoints, particularly streaming and real-time data access points, to prevent similar issues in other components of their workflow orchestration systems. The vulnerability serves as a reminder of the importance of thorough testing of authentication flows, especially for non-standard endpoints like streaming services, and the critical need to validate that security configurations are applied consistently across all system components.