VDB

CVE-2026-31886

CVE-2026-31886 PUBLISHED CVSS 9.100000381469727 CRITICAL

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.

EPSS 0.06% · 18.4th percentile

Risk Scores

CVSS 3.1
9.100000381469727
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
EPSS Score
0.06%
18.4th percentile

Affected Products

VendorProductVersions
dagudagu0, 0, 0
github.comdagu-org/dagu0, 0, 0
dagu-orgdagu< 2.2.4, < 2.2.4, < 2.2.4

Timeline

  • Mar 13, 2026 CVE Published
  • Mar 14, 2026 EPSS Score
  • Mar 14, 2026 PoC Published
  • Mar 15, 2026 EPSS Score
  • Mar 16, 2026 CVE Updated
  • Mar 16, 2026 EPSS Score
  • Mar 17, 2026 EPSS Score
  • Mar 17, 2026 Coalition ESS Score
  • Mar 17, 2026 Security Advisory
  • Mar 18, 2026 EPSS Score
  • Mar 18, 2026 PoC Published
  • Mar 19, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›