CVE-2026-24124

CriticalPublic PoC

Published: 22 January 2026

Published

22 January 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with…

access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of access control policies, directly requiring JWT authentication and RBAC checks on Job API endpoints to block unauthorized view, update, and delete actions.

IA-9 Service Identification and Authentication good match

prevent

IA-9 requires unique identification and authentication of system services like the Manager API, addressing the missing JWT middleware that allowed unauthenticated access.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege via RBAC, mitigating unauthorized job modifications once authentication is in place but not fully addressing the lack of initial authentication.

Security SummaryAI

CVE-2026-24124 affects Dragonfly, an open source P2P-based file distribution and image acceleration system, specifically in versions 2.4.1-rc.0 and below. The vulnerability stems from the Job API endpoints (/api/v1/jobs) in the Manager API lacking JWT authentication middleware and RBAC authorization checks in the routing configuration, classified under CWE-306 (Missing Authentication for Critical Function). This results in a critical severity score of CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enabling unauthorized access to sensitive job management functions.

Any unauthenticated attacker with network access to the Manager API can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. Successful exploitation allows the attacker to view, update, and delete jobs, potentially disrupting file distribution operations, altering ongoing transfers, or extracting sensitive data from job metadata.

The issue has been addressed in Dragonfly version 2.4.1-rc.1, where authentication and authorization checks were added to the affected endpoints. Official mitigation guidance is detailed in the GitHub security advisory (GHSA-j8hf-cp34-g4j7) and the fixing commit (9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f), recommending immediate upgrades for exposed Manager API instances.

Details

CWE(s): CWE-306

Affected Products

linuxfoundation

dragonfly

2.4.1 · ≤ 2.4.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing Manager API (Job API endpoints), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f
Patch · security-advisories@github.com
https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com