CVE-2026-24124
Unauthorized Access via Missing JWT Authentication in Dragonfly Jobs API
Publication date: 2026-01-22
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | dragonfly | to 2.4.1 (exc) |
| linuxfoundation | dragonfly | 2.4.1 |
| linuxfoundation | dragonfly | 2.4.1 |
| linuxfoundation | dragonfly | 2.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Dragonfly versions 2.4.1-rc.0 and below, where the Job API endpoints (/api/v1/jobs) do not have JWT authentication middleware or RBAC authorization checks. As a result, any unauthenticated user with access to the Manager API can view, update, and delete jobs, which should normally require proper authentication and authorization. The issue is fixed in version 2.4.1-rc.1.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to access and manipulate job data within the Dragonfly system. Specifically, they can view sensitive job information, update job details, or delete jobs without any authentication or authorization. This can lead to data integrity issues, disruption of service, and potential exposure of sensitive operational data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Dragonfly to version 2.4.1-rc.1 or later, where the Job API endpoints have proper JWT authentication middleware and RBAC authorization checks implemented to prevent unauthorized access.