{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33344", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.813Z", "datePublished": "2026-03-24T19:23:56.617Z", "dateUpdated": "2026-03-24T19:57:38.816Z"}, "containers": {"cna": {"title": "Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8"}, {"name": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb", "tags": ["x_refsource_MISC"], "url": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb"}], "affected": [{"vendor": "dagu-org", "product": "dagu", "versions": [{"version": ">= 2.0.0, < 2.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:23:56.617Z"}, "descriptions": [{"lang": "en", "value": "Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1."}], "source": {"advisory": "GHSA-ph8x-4jfv-v9v8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T19:48:53.736104Z", "id": "CVE-2026-33344", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T19:57:38.816Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33344", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T19:48:53.736104Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T19:57:31.699Z"}}], "cna": {"title": "Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG", "source": {"advisory": "GHSA-ph8x-4jfv-v9v8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dagu-org", "product": "dagu", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.3.1"}]}], "references": [{"url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8", "name": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb", "name": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:23:56.617Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33344", "state": "PUBLISHED", "dateUpdated": "2026-03-24T19:57:38.816Z", "dateReserved": "2026-03-18T22:15:11.813Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T19:23:56.617Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dagu:dagu:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA816FA1-28C8-423D-9509-4299AA991660", "versionEndExcluding": "2.3.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1."}], "id": "CVE-2026-33344", "lastModified": "2026-03-26T13:03:13.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:28.910", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.3.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dagu", "source": "cna", "vendor": "dagu-org"}, "product": "dagu", "vendor": "dagu-org"}], "analysis": {"en": {"generated_at": "2026-03-24T20:21:25.372823+00:00", "value": {"mitigation_remediation": ["Apply the latest Dagu release version 2.3.1 or later which includes the ValidateDAGName check and updated path handling for all API endpoints.", "If upgrading is not yet possible, restrict network access to the Dagu web interface and API endpoints to trusted hosts only.", "Implement authentication and role\u2011based access controls for the API to prevent unauthenticated users from invoking file\u2011based endpoints.", "Periodically review Dagu changelogs and security advisories for additional updates or patches related to this issue."], "summary": {"action": "Apply Patch", "impact": "Directory Traversal via encoded slashes"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts dagu-org's Dagu product, specifically versions between 2.0.0 (inclusive) and before 2.3.1. All affected deployments rely on the locateDAG API which ignores the ValidateDAGName check, leaving them open to traversal. Versions 2.3.1 and later contain the fix that correctly validates names and rewrites path generation.", "description_and_impact": "Dagu, a workflow engine with a built\u2011in web interface, is vulnerable to a directory traversal flaw affecting its API endpoints GET, DELETE, RENAME, and EXECUTE. The bug arises because the file name supplied in the URL path is passed to locateDAG without validating the name or preventing URL\u2011encoded forward slashes. Attackers can encode %2F to slip outside the intended DAGs directory, potentially reading or manipulating arbitrary files on the underlying system. This can lead to serious confidentiality violations and, if write access is achieved, could be escalated to further compromise.", "risk_and_exploitability": "With a CVSS score of 8.1, Dagu falls into the high severity range, though EPSS scoring is not available and the flaw is not listed in CISA's KEV catalog. Inferred attack vector is remote via exposed API endpoints; the attacker needs only to craft a URL containing %2F in the file name parameter. Once the endpoint is reached, the traversal bypasses the intended DAGs directory boundary, allowing access to files outside that sandbox. The exploit requires knowledge of valid DAG names but can be attempted automatically through enumeration or brute\u2011force techniques. The lack of an authentication requirement in the public description increases the risk profile, as unauthenticated users can trigger the traversal if the service is reachable."}}}}, "created": "2026-03-25T11:46:16.744709+00:00", "updated": "2026-03-25T20:57:42.071000+00:00", "vendors": ["dagu-org", "dagu-org$PRODUCT$dagu"]}