{"id":"CVE-2026-24124","summary":"Dragonfly Manager Job API Allows Unauthenticated Access","details":"Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.","aliases":["GHSA-j8hf-cp34-g4j7","GO-2026-4356"],"modified":"2026-04-10T05:39:21.447571Z","published":"2026-01-22T22:20:20.820Z","related":["SUSE-SU-2026:0403-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24124.json","cwe_ids":["CWE-306"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24124.json"},{"type":"ADVISORY","url":"https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24124"},{"type":"FIX","url":"https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dragonflyoss/dragonfly","events":[{"introduced":"0"},{"fixed":"9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f"}]}],"versions":["v1.4.9-2","v2.1.0","v2.1.0-beta.1","v2.1.0-beta.2","v2.1.0-beta.3","v2.1.0-beta.4","v2.1.0-rc.0","v2.1.1","v2.1.10","v2.1.11","v2.1.12","v2.1.13","v2.1.14","v2.1.15","v2.1.16","v2.1.17","v2.1.18","v2.1.19","v2.1.2","v2.1.20","v2.1.21","v2.1.22","v2.1.23","v2.1.24","v2.1.25","v2.1.26","v2.1.27","v2.1.28","v2.1.29","v2.1.3","v2.1.30","v2.1.31","v2.1.32","v2.1.33","v2.1.34","v2.1.35","v2.1.36","v2.1.37","v2.1.38","v2.1.39","v2.1.4","v2.1.40","v2.1.41","v2.1.42","v2.1.43","v2.1.44","v2.1.45","v2.1.46","v2.1.47","v2.1.48","v2.1.49","v2.1.5","v2.1.50","v2.1.51","v2.1.52","v2.1.53","v2.1.54","v2.1.55","v2.1.56","v2.1.57","v2.1.58","v2.1.59","v2.1.6","v2.1.60","v2.1.61","v2.1.62","v2.1.63","v2.1.64","v2.1.65","v2.1.66","v2.1.67","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.1","v2.2.1-rc.0","v2.2.1-rc.1","v2.2.1-rc.3","v2.2.2","v2.2.2-rc.0","v2.2.3-rc.2","v2.3.0","v2.3.1","v2.3.1-beta.0","v2.3.1-rc.0","v2.3.1-rc.2","v2.3.1-rc.4","v2.3.2","v2.3.3","v2.3.3-rc.0","v2.3.3-rc.1","v2.3.4","v2.3.4-beta.0","v2.3.4-beta.1","v2.3.4-rc.0","v2.3.4-rc.1","v2.3.4-rc.2","v2.3.5-beta.0","v2.3.5-beta.1","v2.3.5-rc.0","v2.3.5-rc.1","v2.3.5-rc.2","v2.3.5-rc.3","v2.4.0","v2.4.1-beta.0","v2.4.1-beta.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24124.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/dragonflyoss/dragonfly2","events":[{"introduced":"0"},{"fixed":"e2cae46730cb1146109c22f0d7aa1c990bcc45f7"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.4.1"}]}}],"versions":["v1.4.9-2","v2.1.0","v2.1.0-beta.1","v2.1.0-beta.2","v2.1.0-beta.3","v2.1.0-beta.4","v2.1.0-rc.0","v2.1.1","v2.1.10","v2.1.11","v2.1.12","v2.1.13","v2.1.14","v2.1.15","v2.1.16","v2.1.17","v2.1.18","v2.1.19","v2.1.2","v2.1.20","v2.1.21","v2.1.22","v2.1.23","v2.1.24","v2.1.25","v2.1.26","v2.1.27","v2.1.28","v2.1.29","v2.1.3","v2.1.30","v2.1.31","v2.1.32","v2.1.33","v2.1.34","v2.1.35","v2.1.36","v2.1.37","v2.1.38","v2.1.39","v2.1.4","v2.1.40","v2.1.41","v2.1.42","v2.1.43","v2.1.44","v2.1.45","v2.1.46","v2.1.47","v2.1.48","v2.1.49","v2.1.5","v2.1.50","v2.1.51","v2.1.52","v2.1.53","v2.1.54","v2.1.55","v2.1.56","v2.1.57","v2.1.58","v2.1.59","v2.1.6","v2.1.60","v2.1.61","v2.1.62","v2.1.63","v2.1.64","v2.1.65","v2.1.66","v2.1.67","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.1","v2.2.1-rc.0","v2.2.1-rc.1","v2.2.1-rc.3","v2.2.2","v2.2.2-rc.0","v2.2.3-rc.2","v2.3.0","v2.3.1","v2.3.1-beta.0","v2.3.1-rc.0","v2.3.1-rc.2","v2.3.1-rc.4","v2.3.2","v2.3.3","v2.3.3-rc.0","v2.3.3-rc.1","v2.3.4","v2.3.4-beta.0","v2.3.4-beta.1","v2.3.4-rc.0","v2.3.4-rc.1","v2.3.4-rc.2","v2.3.5-beta.0","v2.3.5-beta.1","v2.3.5-rc.0","v2.3.5-rc.1","v2.3.5-rc.2","v2.3.5-rc.3","v2.4.0","v2.4.1-beta.0","v2.4.1-beta.1","v2.4.1-rc.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24124.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"}]}