Cyber Resilience

CVE-2026-31886

CriticalPublic PoC

Published: 13 March 2026

Published
13 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
EPSS Score 0.0042 33.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31886 is a critical-severity Path Traversal (CWE-22) vulnerability in Dagu Dagu. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31886 is a path traversal vulnerability (CWE-22) affecting Dagu, an open-source workflow engine with a built-in web user interface, in versions prior to 2.2.4. The issue arises in the inline DAG execution endpoints, where the dagRunId request field is passed directly into Go's filepath.Join function to construct a temporary directory path under /tmp/<name>/<id> without any format validation. This allows lexical resolution of ".." segments, enabling attackers to redirect the path outside the intended directory. A deferred cleanup function then executes os.RemoveAll on the resolved directory unconditionally upon HTTP handler completion, leading to unintended deletions.

An authenticated low-privilege user (PR:L) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) by submitting a dagRunId value such as "..". This traverses to the system temporary directory (/tmp on Linux), triggering deletion of its contents during cleanup. On non-root deployments, it removes all /tmp files owned by the Dagu process user, disrupting concurrent Dagu runs with live temp files. On root or Docker deployments, it causes a system-wide denial of service by wiping the entire /tmp directory. The vulnerability also enables limited confidentiality and integrity impacts (C:L/I:L), with a CVSS v3.1 base score of 9.1 due to the scope change (S:C) and high availability impact (A:H).

The vulnerability is fixed in Dagu version 2.2.4. The official security advisory (GHSA-m4q3-457p-hh2x) and corresponding commit (12c2e5395bd9331d49ca103593edfd0db39c4f38) detail the patch, which introduces proper validation of the dagRunId field to prevent traversal. Security practitioners should upgrade to 2.2.4 or later and review access controls on the web UI endpoints.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any format validation.…

more

Go's filepath.Join resolves .. segments lexically, so a caller can supply a value such as ".." to redirect the computed directory outside the intended /tmp/<name>/<id> path. A deferred cleanup function that calls os.RemoveAll on that directory then runs unconditionally when the HTTP handler returns, deleting whatever directory the traversal resolved to. With dagRunId set to "..", the resolved directory is the system temporary directory (/tmp on Linux). On non-root deployments, os.RemoveAll("/tmp") removes all files in /tmp owned by the dagu process user, disrupting every concurrent dagu run that has live temp files. On root or Docker deployments, the call removes the entire contents of /tmp, causing a system-wide denial of service. This vulnerability is fixed in 2.2.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Path traversal in web UI endpoint enables exploitation of public-facing application (T1190) for arbitrary file deletion in /tmp, facilitating data destruction (T1485) and endpoint DoS via application exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33344Same product: Dagu Dagu
CVE-2026-31882Same product: Dagu Dagu
CVE-2026-24970Shared CWE-22
CVE-2026-4351Shared CWE-22
CVE-2026-45230Shared CWE-22
CVE-2025-68901Shared CWE-22
CVE-2026-33293Shared CWE-22
CVE-2025-26540Shared CWE-22
CVE-2025-7359Shared CWE-22
CVE-2025-70952Shared CWE-22

Affected Assets

dagu
dagu
≤ 2.2.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the dagRunId input to block path traversal via '..' segments before constructing temporary directory paths.

prevent

Mandates timely flaw remediation through patching to version 2.2.4, which adds dagRunId validation and prevents exploitation.

prevent

Enforces least privilege to run Dagu as non-root, limiting deletion scope to process-owned files in /tmp and mitigating system-wide DoS.

References