CVE-2026-31882: Dagu Workflow Engine Auth Bypass Flaw

CVE-2026-31882 Overview

CVE-2026-31882 is an authentication bypass vulnerability affecting Dagu, a workflow engine with a built-in Web user interface. Prior to version 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints remain accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — completely bypassing the authentication that protects the REST API.

Critical Impact

Unauthenticated attackers can access sensitive workflow execution data, configurations, and logs in real-time, potentially exposing business logic, credentials in workflows, and operational intelligence.

Affected Products

• Dagu versions prior to 2.2.4
• Dagu instances configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic)
• Dagu SSE/streaming endpoints

Discovery Timeline

• 2026-03-13 - CVE-2026-31882 published to NVD
• 2026-03-18 - Last updated in NVD database

Technical Details for CVE-2026-31882

Vulnerability Analysis

This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The root cause lies in the buildStreamAuthOptions() function which constructs authentication options for SSE/streaming endpoints. When the authentication mode is set to basic, the function returns an auth.Options struct with BasicAuthEnabled: true, but critically, the AuthRequired field defaults to false due to Go's zero value behavior. This configuration oversight means that while Basic authentication validation is technically enabled for programmatic clients, the authentication middleware at internal/service/frontend/auth/middleware.go permits unauthenticated requests when AuthRequired is false.

The vulnerability creates a significant gap in access control where REST API endpoints are properly protected by Basic authentication, but SSE endpoints serving the same sensitive data can be accessed without any credentials.

Root Cause

The vulnerability stems from an incorrect default value in Go's struct initialization. When auth.Options is created with BasicAuthEnabled: true but without explicitly setting AuthRequired, the boolean field defaults to false (Go's zero value for booleans). The original code comments indicate this was an intentional workaround because browser EventSource API cannot send custom headers for Basic credentials. However, this design decision created a security hole that allowed complete bypass of authentication for SSE endpoints.

Attack Vector

An attacker can exploit this vulnerability by directly accessing SSE endpoints without providing any credentials. Since SSE endpoints expose real-time DAG execution data, workflow configurations, execution logs, and queue status, an attacker on the same network or with access to the Dagu instance can passively monitor all workflow activity. The attack requires no authentication and can be performed from any network location with access to the Dagu web interface.

// Security patch in internal/service/frontend/server.go
// Source: https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775

 		return auth.Options{Realm: realm}
 	}
 
-	// Basic auth mode: The browser EventSource API cannot send custom headers,
-	// so it cannot provide Basic credentials. We enable Basic auth validation
-	// (so programmatic clients like curl are authenticated) but set
-	// AuthRequired=false so browser SSE connections without credentials are
-	// not blocked with 401.
-	// FIXME: add a session-token mechanism for basic-auth users so browser
-	// EventSource requests can authenticate via the ?token= query parameter.
+	// Basic auth mode: require credentials for SSE endpoints just like REST.
+	// Browsers handle 401 + WWW-Authenticate: Basic challenges natively,
+	// caching credentials per origin/realm, so EventSource requests will
+	// include Basic auth automatically after the user authenticates once.
 	if authCfg.Mode == config.AuthModeBasic {
 		return auth.Options{
 			Realm:            realm,
 			BasicAuthEnabled: true,
+			AuthRequired:     true,
 			Creds:            map[string]string{authCfg.Basic.Username: authCfg.Basic.Password},
 		}
 	}

Source: GitHub Commit Update

Detection Methods for CVE-2026-31882

Indicators of Compromise

• Unauthenticated HTTP requests to SSE endpoints (typically paths containing /events, /stream, or similar SSE patterns) from unexpected IP addresses
• Access logs showing successful SSE connections without corresponding authentication entries
• Unusual volume of SSE connections from single sources that may indicate reconnaissance or data harvesting
• Connection patterns to SSE endpoints that do not match legitimate user browser sessions

Detection Strategies

• Monitor web server access logs for SSE endpoint access patterns that lack authentication headers
• Implement network-level monitoring to detect connections to Dagu SSE endpoints from unauthorized sources
• Deploy intrusion detection rules to alert on EventSource connections to Dagu without Basic authentication credentials
• Review application logs for SSE connection activity that doesn't correlate with authenticated user sessions

Monitoring Recommendations

• Enable detailed access logging for all Dagu endpoints, particularly SSE/streaming paths
• Configure alerting on authentication bypass attempts or unauthenticated access to sensitive endpoints
• Implement rate limiting on SSE endpoints to mitigate potential abuse during the vulnerability window
• Monitor for data exfiltration patterns that may indicate ongoing exploitation

How to Mitigate CVE-2026-31882

Immediate Actions Required

• Upgrade Dagu to version 2.2.4 or later immediately
• If immediate upgrade is not possible, restrict network access to Dagu SSE endpoints using firewall rules or reverse proxy configuration
• Review access logs for any evidence of exploitation prior to patching
• Consider temporarily disabling SSE functionality if sensitive data exposure is a critical concern

Patch Information

The vulnerability is fixed in Dagu version 2.2.4. The patch adds AuthRequired: true to the authentication options for SSE endpoints when Basic authentication mode is configured, ensuring that browsers and all clients must provide valid credentials. The fix is documented in GitHub Pull Request 1752 and the release is available at GitHub Release v2.2.4. For additional details, refer to the GitHub Security Advisory GHSA-9wmw-9wph-2vwp.

Workarounds

• Place Dagu behind a reverse proxy (nginx, Caddy, etc.) that enforces authentication on all endpoints including SSE paths
• Implement network segmentation to restrict access to Dagu instances to trusted networks only
• Configure firewall rules to block external access to SSE endpoints while allowing REST API access through authenticated channels
• Use VPN or zero-trust network access to limit exposure of the Dagu web interface

# Example nginx configuration to enforce auth on SSE endpoints
# Add this to your nginx server block protecting Dagu

location ~ ^/api/.*/events {
    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://dagu_backend;
    proxy_set_header Connection '';
    proxy_http_version 1.1;
    chunked_transfer_encoding off;
    proxy_buffering off;
    proxy_cache off;
}