CVE-2026-31882 Dagu SSE Authentication Bypass in Basic Auth Mode

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG...

EUVD-2026-12087

Dagu: SSE Authentication Bypass in Basic Auth Mode...

dagu 访问控制错误漏洞

Dagu is an open-source workflow engine developed by Dagu Workflow Engine. Versions of Dagu prior to 2.2.4 contained a security vulnerability related to access control. This vulnerability stemmed from the use of HTTP basic authentication, where all server-sent event endpoints could be accessed...

GHSA-6QR9-G2XW-CW92 Dagu affected by unauthenticated RCE via inline DAG spec in default configuration

Summary Dagu's default configuration ships with authentication disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default. Details...