CVE-2026-24124
Published: 22 January 2026
Summary
CVE-2026-24124 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Linuxfoundation Dragonfly. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of access control policies, directly requiring JWT authentication and RBAC checks on Job API endpoints to block unauthorized view, update, and delete actions.
IA-9 requires unique identification and authentication of system services like the Manager API, addressing the missing JWT middleware that allowed unauthenticated access.
AC-6 enforces least privilege via RBAC, mitigating unauthorized job modifications once authentication is in place but not fully addressing the lack of initial authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing Manager API (Job API endpoints), directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with…
more
access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.
Deeper analysisAI
CVE-2026-24124 affects Dragonfly, an open source P2P-based file distribution and image acceleration system, specifically in versions 2.4.1-rc.0 and below. The vulnerability stems from the Job API endpoints (/api/v1/jobs) in the Manager API lacking JWT authentication middleware and RBAC authorization checks in the routing configuration, classified under CWE-306 (Missing Authentication for Critical Function). This results in a critical severity score of CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enabling unauthorized access to sensitive job management functions.
Any unauthenticated attacker with network access to the Manager API can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. Successful exploitation allows the attacker to view, update, and delete jobs, potentially disrupting file distribution operations, altering ongoing transfers, or extracting sensitive data from job metadata.
The issue has been addressed in Dragonfly version 2.4.1-rc.1, where authentication and authorization checks were added to the affected endpoints. Official mitigation guidance is detailed in the GitHub security advisory (GHSA-j8hf-cp34-g4j7) and the fixing commit (9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f), recommending immediate upgrades for exposed Manager API instances.
Details
- CWE(s)