Cyber Posture

CVE-2026-31886

CriticalPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
EPSS Score 0.0005 15.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31886 is a critical-severity Path Traversal (CWE-22) vulnerability in Dagu Dagu. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the dagRunId input to block path traversal via '..' segments before constructing temporary directory paths.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through patching to version 2.2.4, which adds dagRunId validation and prevents exploitation.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to run Dagu as non-root, limiting deletion scope to process-owned files in /tmp and mitigating system-wide DoS.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Path traversal in web UI endpoint enables exploitation of public-facing application (T1190) for arbitrary file deletion in /tmp, facilitating data destruction (T1485) and endpoint DoS via application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation.…

more

Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.

Deeper analysisAI

CVE-2026-31886 is a path traversal vulnerability (CWE-22) affecting Dagu, an open-source workflow engine with a built-in web user interface, in versions prior to 2.2.4. The issue arises in the inline DAG execution endpoints, where the dagRunId request field is passed directly into Go's filepath.Join function to construct a temporary directory path under /tmp/<name>/<id> without any format validation. This allows lexical resolution of ".." segments, enabling attackers to redirect the path outside the intended directory. A deferred cleanup function then executes os.RemoveAll on the resolved directory unconditionally upon HTTP handler completion, leading to unintended deletions.

An authenticated low-privilege user (PR:L) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) by submitting a dagRunId value such as "..". This traverses to the system temporary directory (/tmp on Linux), triggering deletion of its contents during cleanup. On non-root deployments, it removes all /tmp files owned by the Dagu process user, disrupting concurrent Dagu runs with live temp files. On root or Docker deployments, it causes a system-wide denial of service by wiping the entire /tmp directory. The vulnerability also enables limited confidentiality and integrity impacts (C:L/I:L), with a CVSS v3.1 base score of 9.1 due to the scope change (S:C) and high availability impact (A:H).

The vulnerability is fixed in Dagu version 2.2.4. The official security advisory (GHSA-m4q3-457p-hh2x) and corresponding commit (12c2e5395bd9331d49ca103593edfd0db39c4f38) detail the patch, which introduces proper validation of the dagRunId field to prevent traversal. Security practitioners should upgrade to 2.2.4 or later and review access controls on the web UI endpoints.

Details

CWE(s)
CWE-22

Affected Products

dagu
dagu
≤ 2.2.4

CVEs Like This One

CVE-2026-33344Same product: Dagu Dagu
CVE-2026-31882Same product: Dagu Dagu
CVE-2025-14868Shared CWE-22
CVE-2026-33293Shared CWE-22
CVE-2024-8898Shared CWE-22
CVE-2025-69376Shared CWE-22
CVE-2025-70028Shared CWE-22
CVE-2025-69097Shared CWE-22
CVE-2025-7359Shared CWE-22
CVE-2026-22448Shared CWE-22

References