{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31882", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.686Z", "datePublished": "2026-03-13T19:28:25.615Z", "dateUpdated": "2026-03-13T19:43:56.406Z"}, "containers": {"cna": {"title": "Dagu SSE Authentication Bypass in Basic Auth Mode", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp"}, {"name": "https://github.com/dagu-org/dagu/pull/1752", "tags": ["x_refsource_MISC"], "url": "https://github.com/dagu-org/dagu/pull/1752"}, {"name": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775", "tags": ["x_refsource_MISC"], "url": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775"}, {"name": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4"}], "affected": [{"vendor": "dagu-org", "product": "dagu", "versions": [{"version": "< 2.2.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T19:28:25.615Z"}, "descriptions": [{"lang": "en", "value": "Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status \u2014 bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4."}], "source": {"advisory": "GHSA-9wmw-9wph-2vwp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T19:43:49.630099Z", "id": "CVE-2026-31882", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:43:56.406Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31882", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:43:49.630099Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:43:53.328Z"}}], "cna": {"title": "Dagu SSE Authentication Bypass in Basic Auth Mode", "source": {"advisory": "GHSA-9wmw-9wph-2vwp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dagu-org", "product": "dagu", "versions": [{"status": "affected", "version": "< 2.2.4"}]}], "references": [{"url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp", "name": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dagu-org/dagu/pull/1752", "name": "https://github.com/dagu-org/dagu/pull/1752", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775", "name": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4", "name": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status \u2014 bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T19:28:25.615Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31882", "state": "PUBLISHED", "dateUpdated": "2026-03-13T19:43:56.406Z", "dateReserved": "2026-03-09T21:59:02.686Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T19:28:25.615Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dagu:dagu:*:*:*:*:*:*:*:*", "matchCriteriaId": "681DF7E8-8500-4F63-8E04-FC8AB4CAFD3A", "versionEndExcluding": "2.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status \u2014 bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4."}], "id": "CVE-2026-31882", "lastModified": "2026-03-18T20:14:20.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:37.000", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/dagu-org/dagu/pull/1752"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dagu", "source": "cna", "vendor": "dagu-org"}, "product": "dagu", "vendor": "dagu-org"}], "analysis": {"en": {"generated_at": "2026-03-18T21:52:33.122018+00:00", "value": {"mitigation_remediation": ["Upgrade Dagu to version 2.2.4 or later"], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass / Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the Dagu workflow engine from dagu-org prior to version 2.2.4. Any instance running a version earlier than 2.2.4 with Basic authentication enabled is susceptible. Users should verify their Dagu version and upgrade if necessary.", "description_and_impact": "Dagu is a workflow engine that delivers real\u2011time data via Server\u2011Sent Events (SSE) in its web interface. When configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), the authentication middleware incorrectly marks SSE endpoints as not requiring credentials because the AuthRequired flag defaults to false. As a result, unauthenticated users can connect to any SSE endpoint and read real\u2011time execution data, workflow configurations, execution logs, and queue status, effectively bypassing the REST API\u2019s authentication layer. The weakness is a credential\u2011related issue (CWE\u2011306).", "risk_and_exploitability": "The CVSS Base Score is 7.5, indicating a medium\u2011high severity. The EPSS score is below 1%, suggesting low current exploitation probability, but the vulnerability is publicly documented and could be leveraged by an attacker with network access to the SSE endpoints. It is not listed in the CISA KEV catalog. An attacker requires only unauthenticated HTTP(S) connectivity to the server to exploit the flaw and gain sensitive information; no privileged access or code execution is required."}}}}, "created": "2026-03-16T09:24:16.035944+00:00", "updated": "2026-03-23T13:40:12.266601+00:00", "vendors": ["dagu-org", "dagu-org$PRODUCT$dagu"]}