CVE-2026-31886: Dagu

Overview

A critical security vulnerability, tracked as CVE-2026-31886, has been discovered in the Dagu workflow engine. This flaw allows an attacker to delete critical system files, potentially causing a complete denial of service. Dagu is an open-source tool with a built-in web interface for automating workflows.

Vulnerability Explained

In simple terms, this is a path traversal vulnerability. Dagu versions before 2.2.4 have a specific web endpoint used for running workflows. This endpoint uses a user-supplied input field (dagRunId) to help create a temporary directory on the server’s filesystem.

The vulnerability exists because this input is not checked or sanitized. An attacker can submit a value like .. (two dots), which is a standard command to move “up” one level in a directory structure. When the system processes this, it is tricked into placing files outside its intended safe location. Worse, a cleanup function then automatically deletes this incorrectly calculated directory and everything inside it.

Potential Impact

The impact of this flaw is severe and depends on how Dagu is installed:

• Non-root deployments: The attack can delete all temporary files in /tmp owned by the Dagu process user. This disrupts all concurrent Dagu operations, halting workflows and causing data loss.
• Root or Docker deployments: The attack can delete the entire contents of the system’s /tmp directory. This is a critical system folder used by the operating system and many other applications. Deleting it causes immediate, widespread system instability and a full denial of service, potentially crashing the server.

This makes the vulnerability especially dangerous in containerized environments or default installations. For context on how such flaws can lead to major incidents, recent cybersecurity news at security news often covers similar exploitation events.

Remediation and Mitigation

Immediate action is required to protect your systems.

Primary Fix: The only complete solution is to upgrade Dagu to version 2.2.4 or later. This version contains the necessary validation to prevent the path traversal. Users should update their installations without delay.

Temporary Mitigation: If immediate upgrading is not possible, consider the following steps to reduce risk:

1. Restrict Network Access: Ensure the Dagu web interface is not exposed to the public internet. Limit access to only trusted, necessary networks.
2. Review Permissions: Run the Dagu service under a dedicated, non-root user with minimal filesystem permissions. While this won’t prevent the attack in non-root deployments, it can limit the scope of damage to user-owned files only.
3. Monitor for Exploitation: Monitor system logs and /tmp directory integrity for unexpected file deletion events.

Organizations should treat this as a critical patch. Failure to apply it could result in significant operational disruption. For insights into data exposures that can follow system compromises, you can review past incidents in our breach reports.