GHSA-6QR9-G2XW-CW92: Dagu: The Friendly Ghost that Runs Your Malware (GHSA-6QR9-G2XW-CW92)

Source: Dev.to

Vulnerability Overview

• Vulnerability ID: GHSA-6QR9-G2XW-CW92
• CVSS Score: 9.8 (Critical)
• Published: 2026-02-19
• CWE ID: CWE-306
• Attack Vector: Network
• Impact: Remote Code Execution (RCE)
• Exploit Status: Functional PoC
• Authentication Required: None (default configuration)

Dagu is a lightweight Go‑based workflow engine often used as a cron alternative. In its default configuration it exposed API endpoints that accept inline DAG definitions without any authentication, effectively providing “RCE as a Service.” An unauthenticated attacker could POST a crafted YAML file and execute arbitrary shell commands on the host server via simple HTTP requests.

Technical Details

• Affected Component: API endpoint POST /api/v1/dags
• Default Port: 8080
• Root Cause: Lack of authentication middleware on the endpoint that processes DAG definitions, allowing direct mapping of user‑supplied input to execution functions.

Example Patch

func (s *Server) Routes() {
    // Original insecure route
    // r.Post("/api/v1/dags", s.handlePostDags)

    // Secured route with authentication middleware
    r.Post("/api/v1/dags", authMiddleware(s.handlePostDags))
}

Recommended Hardening Measures

• Enable built‑in authentication in the Dagu configuration.
• Restrict network access to the Dagu API port (default 8080) using firewall rules or network policies.
• Run Dagu under a non‑privileged user account.

Remediation Steps

1. Edit config.yaml (or dagu.yaml).

2. Set the authentication mode:

   auth:
     mode: builtin
     username: 
     password: 

3. Restart the Dagu service.

4. Verify that accessing the UI or API now returns 401 Unauthorized for unauthenticated requests.

References

• GitHub Repository: Dagu
• Full report for GHSA-6QR9-G2XW-CW92 (including interactive diagrams and exploit analysis) is available on the original publishing site.