Cyber Resilience

CVE-2026-24124

HighPublic PoC

Published: 22 January 2026

Published
22 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0071 48.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24124 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Linuxfoundation Dragonfly. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Deeper analysis

CVE-2026-24124 affects Dragonfly, an open source P2P-based file distribution and image acceleration system, specifically in versions 2.4.1-rc.0 and below. The vulnerability stems from the Job API endpoints (/api/v1/jobs) in the Manager API lacking JWT authentication middleware and RBAC authorization checks in the routing configuration, classified under CWE-306 (Missing Authentication for Critical Function). This results in a critical severity score of CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enabling unauthorized access to sensitive job management functions.

Any unauthenticated attacker with network access to the Manager API can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. Successful exploitation allows the attacker to view, update, and delete jobs, potentially disrupting file distribution operations, altering ongoing transfers, or extracting sensitive data from job metadata.

The issue has been addressed in Dragonfly version 2.4.1-rc.1, where authentication and authorization checks were added to the affected endpoints. Official mitigation guidance is detailed in the GitHub security advisory (GHSA-j8hf-cp34-g4j7) and the fixing commit (9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f), recommending immediate upgrades for exposed Manager API instances.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with…

more

access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing Manager API (Job API endpoints), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59352Same product: Linuxfoundation Dragonfly
CVE-2026-35171Same vendor: Linuxfoundation
CVE-2025-68137Same vendor: Linuxfoundation
CVE-2026-33701Same vendor: Linuxfoundation
CVE-2026-37530Same vendor: Linuxfoundation
CVE-2024-24421Same vendor: Linuxfoundation
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306

Affected Assets

linuxfoundation
dragonfly
2.4.1 · ≤ 2.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of access control policies, directly requiring JWT authentication and RBAC checks on Job API endpoints to block unauthorized view, update, and delete actions.

prevent

IA-9 requires unique identification and authentication of system services like the Manager API, addressing the missing JWT middleware that allowed unauthenticated access.

prevent

AC-6 enforces least privilege via RBAC, mitigating unauthorized job modifications once authentication is in place but not fully addressing the lack of initial authentication.

References