CVE-2026-31886
Path Traversal in Dagu Workflow Engine Causes System-wide DoS
Publication date: 2026-03-13
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dagu | dagu | to 2.2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-31886 is a critical path traversal vulnerability in the Dagu workflow engine's inline DAG execution endpoints. The vulnerability arises because the dagRunId parameter, which is supplied by the user, is passed directly into a function that constructs a temporary directory path without any validation or sanitization."}, {'type': 'paragraph', 'content': 'Specifically, the Go function filepath.Join resolves \'..\' segments lexically, allowing an attacker to supply values like ".." to escape the intended temporary directory path. When the server later attempts to clean up by deleting this directory, it ends up deleting unintended directories such as the system temporary directory (/tmp).'}, {'type': 'paragraph', 'content': 'This happens because a deferred cleanup function calls os.RemoveAll on the resolved directory unconditionally, which can lead to deletion of critical files and directories.'}, {'type': 'paragraph', 'content': 'The root cause is that the validation middleware that should enforce a regex pattern on dagRunId is never enabled due to a missing configuration, and no sanitization is applied before using dagRunId in filepath.Join.'}] [1]
How can this vulnerability impact me? :
This vulnerability can cause a severe denial of service (DoS) on affected systems.
- On non-root Linux deployments, the cleanup deletes all files in /tmp owned by the dagu process user, disrupting all concurrent dagu runs that rely on temporary files.
- On root or Docker deployments, the cleanup deletes the entire contents of /tmp, causing a system-wide denial of service affecting all processes using /tmp.
- Additionally, an attacker can write arbitrary workflow definition files outside the intended temporary directory by manipulating dagRunId, potentially leading to persistent malicious workflows being created and executed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual deletions or disruptions in the /tmp directory, especially files owned by the dagu process user. Since the attack involves sending a POST request with a specially crafted dagRunId parameter (such as ".."), detection can focus on identifying such requests to the inline DAG execution endpoints.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Checking recent HTTP POST requests to /api/v1/dag-runs or /api/v1/dag-runs/enqueue containing dagRunId values with path traversal patterns (e.g., "..") in logs.'}, {'type': 'list_item', 'content': "Using command-line tools like grep to search server access logs for suspicious dagRunId parameters, for example: grep -E 'dagRunId.*\\.\\.' /path/to/dagu/access.log"}, {'type': 'list_item', 'content': 'Monitoring the /tmp directory for unexpected mass deletions or missing files owned by the dagu user, e.g., using: ls -l /tmp | grep dagu and checking for sudden changes.'}, {'type': 'list_item', 'content': 'Using file integrity monitoring tools to detect unexpected removals in /tmp.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade dagu to version 2.2.4 or later, where this vulnerability is fixed.
- If upgrading is not immediately possible, restrict access to the inline DAG execution endpoints (/api/v1/dag-runs and /api/v1/dag-runs/enqueue) to trusted users only, as the attacker must be authenticated with a role that allows DAG execution.
- Enable or enforce strict validation middleware for the dagRunId parameter to block path traversal characters, if configurable.
- Monitor logs for suspicious dagRunId values and unusual deletions in /tmp to detect exploitation attempts early.
- Consider running dagu with least privilege to limit the impact of any potential exploitation.