CVE-2026-31886

CVE-2026-31886 is a path traversal vulnerability (CWE-22) affecting Dagu, an open-source workflow engine with a built-in web user interface, in versions prior to 2.2.4. The issue arises in the inline DAG execution endpoints, where the dagRunId request field is passed directly into Go's filepath.Join function to construct a temporary directory path under /tmp/<name>/<id> without any format validation. This allows lexical resolution of ".." segments, enabling attackers to redirect the path outside the intended directory. A deferred cleanup function then executes os.RemoveAll on the resolved directory unconditionally upon HTTP handler completion, leading to unintended deletions.

An authenticated low-privilege user (PR:L) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) by submitting a dagRunId value such as "..". This traverses to the system temporary directory (/tmp on Linux), triggering deletion of its contents during cleanup. On non-root deployments, it removes all /tmp files owned by the Dagu process user, disrupting concurrent Dagu runs with live temp files. On root or Docker deployments, it causes a system-wide denial of service by wiping the entire /tmp directory. The vulnerability also enables limited confidentiality and integrity impacts (C:L/I:L), with a CVSS v3.1 base score of 9.1 due to the scope change (S:C) and high availability impact (A:H).

The vulnerability is fixed in Dagu version 2.2.4. The official security advisory (GHSA-m4q3-457p-hh2x) and corresponding commit (12c2e5395bd9331d49ca103593edfd0db39c4f38) detail the patch, which introduces proper validation of the dagRunId field to prevent traversal. Security practitioners should upgrade to 2.2.4 or later and review access controls on the web UI endpoints.