CVE-2026-31882

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-31882
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31882.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31882
Aliases
Published
2026-03-13T19:28:25.615Z
Modified
2026-04-10T05:42:12.632487Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Dagu SSE Authentication Bypass in Basic Auth Mode
Details

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGUAUTHMODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31882.json",
    "cwe_ids": [
        "CWE-306"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/dagu-org/dagu

Affected ranges

Type
GIT
Repo
https://github.com/dagu-org/dagu
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
12c2e5395bd9331d49ca103593edfd0db39c4f38

Affected versions

v1.*
v1.0.1
v1.0.2
v1.1.0
v1.1.2
v1.1.3
v1.1.4
v1.1.5
v1.1.6
v1.1.8
v1.10.1
v1.10.2
v1.10.3
v1.10.4
v1.10.5
v1.10.6
v1.11.0
v1.12.0
v1.12.1
v1.12.10
v1.12.11
v1.12.2
v1.12.3
v1.12.4
v1.12.5
v1.12.6
v1.12.7
v1.12.8
v1.12.9
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.14.5
v1.14.6
v1.14.7
v1.14.8
v1.15.0
v1.15.1
v1.16.0
v1.16.1
v1.16.2
v1.16.3
v1.16.4
v1.17.0
v1.17.0-beta.10
v1.17.0-beta.11
v1.17.0-beta.12
v1.17.0-beta.13
v1.17.0-beta.14
v1.17.0-beta.15
v1.17.0-beta.2
v1.17.0-beta.3
v1.17.0-beta.4
v1.17.0-beta.5
v1.17.0-beta.6
v1.17.0-beta.7
v1.17.0-beta.8
v1.17.0-beta.9
v1.17.1
v1.17.2
v1.17.3
v1.17.4
v1.18.0
v1.18.1
v1.18.2
v1.18.3
v1.18.4
v1.19.0
v1.19.1
v1.2.10
v1.2.11
v1.2.12
v1.2.14
v1.2.15
v1.2.16
v1.20.0
v1.21.0
v1.22.0
v1.22.1
v1.22.2
v1.22.3
v1.22.4
v1.23.0
v1.23.1
v1.23.2
v1.23.4
v1.24.0
v1.24.1
v1.24.11
v1.24.2
v1.24.3
v1.24.4
v1.24.5
v1.24.6
v1.24.7
v1.24.8
v1.25.0
v1.25.1
v1.26.0
v1.26.1
v1.26.2
v1.26.3
v1.26.4
v1.26.5
v1.27.0
v1.28.0
v1.29.0
v1.29.1
v1.29.2
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.3.2
v1.3.20
v1.3.21
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.30.0
v1.30.1
v1.30.2
v1.30.3
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.10
v1.7.11
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.2.0
v2.2.1
v2.2.2
v2.2.3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31882.json"