CVE-2026-31882

Name of the Vulnerable Software and Affected Versions Dagu versions prior to 2.2.4

Description Dagu is a workflow engine with a built-in web user interface. When configured with HTTP Basic authentication (DAGU AUTH MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status, bypassing the authentication that protects the REST API. The issue stems from the buildStreamAuthOptions() function, which returns an authentication structure with BasicAuthEnabled set to true but AuthRequired defaulting to false. The authentication middleware allows unauthenticated requests when AuthRequired is false. Affected SSE endpoints include '/api/v1/events/dags', '/api/v1/events/dags/{fileName}', '/api/v1/events/dag-runs', '/api/v1/events/dag-runs/{name}/{dagRunId}', '/api/v1/events/dag-runs/{name}/{dagRunId}/logs', '/api/v1/events/queues', '/api/v1/events/docs-tree', and '/api/v1/events/docs/*'. An attacker can enumerate workflows, monitor execution in real-time, read execution logs, and map infrastructure.

Recommendations Update to version 2.2.4 or later. Set AuthRequired to true for basic auth mode. Implement a session-token mechanism for basic-auth users to authenticate via the '?token=' query parameter.