CVE-2026-31886

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-31886

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31886.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-31886

Aliases

Downstream

SUSE-SU-2026:1042-1

Related

SUSE-SU-2026:1042-1

Published

2026-03-13T19:32:09.415Z

Modified

2026-04-10T05:42:14.035704Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H CVSS Calculator

Summary

Dagu has a Path Traversal via `dagRunId` in Inline DAG Execution

Details

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation. Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31886.json",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Git / github.com/dagu-org/dagu

Affected ranges

Type: GIT
Repo: https://github.com/dagu-org/dagu
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

12c2e5395bd9331d49ca103593edfd0db39c4f38

Affected versions

v1.*

v1.0.1

v1.0.2

v1.1.0

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.8

v1.10.1

v1.10.2

v1.10.3

v1.10.4

v1.10.5

v1.10.6

v1.11.0

v1.12.0

v1.12.1

v1.12.10

v1.12.11

v1.12.2

v1.12.3

v1.12.4

v1.12.5

v1.12.6

v1.12.7

v1.12.8

v1.12.9

v1.13.0

v1.13.1

v1.14.0

v1.14.1

v1.14.2

v1.14.3

v1.14.4

v1.14.5

v1.14.6

v1.14.7

v1.14.8

v1.15.0

v1.15.1

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.16.4

v1.17.0

v1.17.0-beta.10

v1.17.0-beta.11

v1.17.0-beta.12

v1.17.0-beta.13

v1.17.0-beta.14

v1.17.0-beta.15

v1.17.0-beta.2

v1.17.0-beta.3

v1.17.0-beta.4

v1.17.0-beta.5

v1.17.0-beta.6

v1.17.0-beta.7

v1.17.0-beta.8

v1.17.0-beta.9

v1.17.1

v1.17.2

v1.17.3

v1.17.4

v1.18.0

v1.18.1

v1.18.2

v1.18.3

v1.18.4

v1.19.0

v1.19.1

v1.2.10

v1.2.11

v1.2.12

v1.2.14

v1.2.15

v1.2.16

v1.20.0

v1.21.0

v1.22.0

v1.22.1

v1.22.2

v1.22.3

v1.22.4

v1.23.0

v1.23.1

v1.23.2

v1.23.4

v1.24.0

v1.24.1

v1.24.11

v1.24.2

v1.24.3

v1.24.4

v1.24.5

v1.24.6

v1.24.7

v1.24.8

v1.25.0

v1.25.1

v1.26.0

v1.26.1

v1.26.2

v1.26.3

v1.26.4

v1.26.5

v1.27.0

v1.28.0

v1.29.0

v1.29.1

v1.29.2

v1.3.0

v1.3.1

v1.3.10

v1.3.11

v1.3.12

v1.3.13

v1.3.14

v1.3.15

v1.3.16

v1.3.17

v1.3.18

v1.3.19

v1.3.2

v1.3.20

v1.3.21

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.30.0

v1.30.1

v1.30.2

v1.30.3

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.10

v1.7.11

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.2.0

v2.2.1

v2.2.2

v2.2.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31886.json"