Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.
Published: 2026-01-22
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated access to Dragonfly Job API allows privileged operations such as viewing, modifying, and deleting jobs.
Action: Immediate Patch
AI Analysis

Impact

Dragonfly, an open source peer‑to‑peer file distribution and image acceleration system, exposes its Manager Job API endpoints (/api/v1/jobs) without JWT authentication middleware or role‑based access controls in versions 2.4.1‑rc.0 and earlier. This CWE‑306 Missing Authentication weakness means any network user who can reach the Manager API can list, modify, or delete jobs. The missing authentication allows an attacker to read job metadata, potentially revealing sensitive information, to inject malicious jobs that may disrupt distribution processes, or to delete jobs, causing denial of service for legitimate users.

Affected Systems

The vulnerability affects the Dragonfly project from the Linux Foundation, specifically versions 2.4.1‑rc.0 and all earlier releases. The issue is resolved in release 2.4.1‑rc.1. No other product variants or platforms are listed as impacted.

Risk and Exploitability

The CVSS score of 8.9 indicates a high‑severity flaw, and the EPSS score of less than 1% suggests the probability of exploitation is currently low. The vulnerability is not present in the CISA KEV catalog. Based on the description, the likely attack vector is a network user with access to the Manager API endpoint, which can be reached over HTTP/HTTPS. Because the API does not enforce authentication or RBAC, an unauthenticated attacker can directly invoke the endpoints and perform privileged operations on jobs.

Generated by OpenCVE AI on April 18, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dragonfly to version 2.4.1‑rc.1 or later to restore authentication and RBAC for the Job API endpoints.
  • Restrict network access to the Manager API (e.g., via firewall rules or reverse‑proxy authentication) until the upgrade can be performed.
  • Enable audit logging for job operations and monitor for unauthorized activity to detect exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j8hf-cp34-g4j7 Dragonfly Manager Job API Unauthenticated Access
History

Thu, 26 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Linuxfoundation
Linuxfoundation dragonfly
CPEs cpe:2.3:a:linuxfoundation:dragonfly:*:*:*:*:*:go:*:*
cpe:2.3:a:linuxfoundation:dragonfly:2.4.1:beta0:*:*:*:go:*:*
cpe:2.3:a:linuxfoundation:dragonfly:2.4.1:beta1:*:*:*:go:*:*
cpe:2.3:a:linuxfoundation:dragonfly:2.4.1:rc0:*:*:*:go:*:*
Vendors & Products Linuxfoundation
Linuxfoundation dragonfly
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Dragonflyoss
Dragonflyoss dragonfly2
Vendors & Products Dragonflyoss
Dragonflyoss dragonfly2

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.
Title Dragonfly Manager Job API Allows Unauthenticated Access
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dragonflyoss Dragonfly2
Linuxfoundation Dragonfly
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:44:30.933Z

Reserved: 2026-01-21T18:38:22.473Z

Link: CVE-2026-24124

cve-icon Vulnrichment

Updated: 2026-01-23T20:09:17.968Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T23:15:58.153

Modified: 2026-02-26T21:42:54.353

Link: CVE-2026-24124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses