Description
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass / Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

Dagu is a workflow engine that delivers real‑time data via Server‑Sent Events (SSE) in its web interface. When configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), the authentication middleware incorrectly marks SSE endpoints as not requiring credentials because the AuthRequired flag defaults to false. As a result, unauthenticated users can connect to any SSE endpoint and read real‑time execution data, workflow configurations, execution logs, and queue status, effectively bypassing the REST API’s authentication layer. The weakness is a credential‑related issue (CWE‑306).

Affected Systems

The vulnerability affects all releases of the Dagu workflow engine from dagu-org prior to version 2.2.4. Any instance running a version earlier than 2.2.4 with Basic authentication enabled is susceptible. Users should verify their Dagu version and upgrade if necessary.

Risk and Exploitability

The CVSS Base Score is 7.5, indicating a medium‑high severity. The EPSS score is below 1%, suggesting low current exploitation probability, but the vulnerability is publicly documented and could be leveraged by an attacker with network access to the SSE endpoints. It is not listed in the CISA KEV catalog. An attacker requires only unauthenticated HTTP(S) connectivity to the server to exploit the flaw and gain sensitive information; no privileged access or code execution is required.

Generated by OpenCVE AI on March 18, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dagu to version 2.2.4 or later

Generated by OpenCVE AI on March 18, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9wmw-9wph-2vwp Dagu: SSE Authentication Bypass in Basic Auth Mode
History

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Dagu
Dagu dagu
CPEs cpe:2.3:a:dagu:dagu:*:*:*:*:*:*:*:*
Vendors & Products Dagu
Dagu dagu

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Dagu-org
Dagu-org dagu
Vendors & Products Dagu-org
Dagu-org dagu

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.
Title Dagu SSE Authentication Bypass in Basic Auth Mode
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Dagu Dagu
Dagu-org Dagu
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T19:43:56.406Z

Reserved: 2026-03-09T21:59:02.686Z

Link: CVE-2026-31882

cve-icon Vulnrichment

Updated: 2026-03-13T19:43:53.328Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:37.000

Modified: 2026-03-18T20:14:20.940

Link: CVE-2026-31882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:12Z

Weaknesses