CVE-2026-31886 in dagu
Summary
by MITRE • 03/13/2026
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability CVE-2026-31886 affects Dagu workflow engine versions prior to 2.2.4, specifically targeting the inline DAG execution endpoints that handle the dagRunId request field. This flaw represents a classic path traversal vulnerability where user-supplied input is directly incorporated into file path construction without proper validation or sanitization. The issue manifests in the way the system processes temporary directory paths, creating a critical security gap that can be exploited to execute arbitrary directory deletions.
The technical implementation of this vulnerability stems from the improper use of Go's filepath.Join function which performs lexical resolution of path segments including the .. component. When a malicious actor supplies a dagRunId value containing ".." sequences, the system constructs a path that traverses outside the intended temporary directory structure. This behavior violates the fundamental security principle of input validation and proper path sanitization, allowing attackers to manipulate the temporary directory location to target system-wide directories. The vulnerability is categorized under CWE-22 as Path Traversal and aligns with ATT&CK technique T1490 for Data Destruction, specifically targeting system temporary directories.
The operational impact of this vulnerability is severe and varies significantly based on the deployment environment. In non-root deployments, the os.RemoveAll function executes against the system temporary directory, removing all files owned by the dagu process user that exist within /tmp. This action disrupts concurrent workflow executions and can cause cascading failures across multiple running processes. When deployed as root or within Docker containers, the consequences escalate dramatically as the entire contents of /tmp are deleted, leading to complete system-wide denial of service. The vulnerability's exploitation is particularly dangerous because it operates silently and can be triggered through simple HTTP requests without requiring elevated privileges.
Mitigation strategies for this vulnerability require immediate patching to version 2.2.4 where the issue has been resolved through proper input validation and sanitization of the dagRunId parameter. Organizations should implement comprehensive input validation mechanisms that reject or sanitize any path traversal sequences before they are processed by filepath.Join. Additional defensive measures include restricting the privileges of the dagu process to limit the scope of potential damage, implementing proper directory access controls, and establishing monitoring for unusual directory deletion patterns. The fix should also incorporate proper error handling and validation of temporary directory paths to prevent any form of path traversal attacks. Security teams should conduct thorough penetration testing to verify that no other similar vulnerabilities exist in the workflow engine's file handling mechanisms, and implement automated security scanning to detect similar path traversal issues in other components.