CVE-2026-24124

Name of the Vulnerable Software and Affected Versions Dragonfly versions 2.4.1-rc.0 through 2.4.1-rc.0 Dragonfly versions 2.x

Description Dragonfly Manager's Job API endpoints lack authentication, allowing unauthenticated attackers to create, query, modify, and delete jobs. This could lead to resource exhaustion, information disclosure, and service disruption. The issue stems from missing JWT authentication middleware and RBAC authorization checks in the routing configuration for the Job API endpoints (/api/v1/jobs). Specifically, the code in manager/router/router.go lacks the necessary authentication configuration present in other API endpoints. An attacker could exploit this by directly interacting with the /api/v1/jobs endpoint to perform unauthorized actions. The API endpoints allow listing all jobs (GET /api/v1/jobs), creating new jobs (POST /api/v1/jobs), querying job details (GET /api/v1/jobs/:id), modifying jobs (PATCH /api/v1/jobs/:id), and deleting jobs (DELETE /api/v1/jobs/:id).

Recommendations Versions 2.4.1-rc.0 and earlier: Add authentication and authorization middleware to the Job API in the manager/router/router.go file. Versions 2.4.1-rc.0 and earlier: As a temporary mitigation, restrict network access to the Manager API using firewall rules or Kubernetes NetworkPolicy. Versions 2.4.1-rc.0 and earlier: As a temporary mitigation, deploy an API gateway in front of Manager for authentication. Versions 2.4.1-rc.0 and earlier: Monitor abnormal access patterns to the Job API and set up alerts for unusual job creation or deletion activity.