{"id":"CVE-2026-31882","summary":"Dagu SSE Authentication Bypass in Basic Auth Mode","details":"Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend/auth/middleware.go allows unauthenticated requests when AuthRequired is false. This vulnerability is fixed in 2.2.4.","aliases":["GHSA-9wmw-9wph-2vwp"],"modified":"2026-04-10T05:42:12.632487Z","published":"2026-03-13T19:28:25.615Z","database_specific":{"cwe_ids":["CWE-306"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31882.json"},"references":[{"type":"WEB","url":"https://github.com/dagu-org/dagu/releases/tag/v2.2.4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31882.json"},{"type":"ADVISORY","url":"https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31882"},{"type":"FIX","url":"https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775"},{"type":"FIX","url":"https://github.com/dagu-org/dagu/pull/1752"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dagu-org/dagu","events":[{"introduced":"0"},{"fixed":"12c2e5395bd9331d49ca103593edfd0db39c4f38"}]}],"versions":["v1.0.1","v1.0.2","v1.1.0","v1.1.2","v1.1.3","v1.1.4","v1.1.5","v1.1.6","v1.1.8","v1.10.1","v1.10.2","v1.10.3","v1.10.4","v1.10.5","v1.10.6","v1.11.0","v1.12.0","v1.12.1","v1.12.10","v1.12.11","v1.12.2","v1.12.3","v1.12.4","v1.12.5","v1.12.6","v1.12.7","v1.12.8","v1.12.9","v1.13.0","v1.13.1","v1.14.0","v1.14.1","v1.14.2","v1.14.3","v1.14.4","v1.14.5","v1.14.6","v1.14.7","v1.14.8","v1.15.0","v1.15.1","v1.16.0","v1.16.1","v1.16.2","v1.16.3","v1.16.4","v1.17.0","v1.17.0-beta.10","v1.17.0-beta.11","v1.17.0-beta.12","v1.17.0-beta.13","v1.17.0-beta.14","v1.17.0-beta.15","v1.17.0-beta.2","v1.17.0-beta.3","v1.17.0-beta.4","v1.17.0-beta.5","v1.17.0-beta.6","v1.17.0-beta.7","v1.17.0-beta.8","v1.17.0-beta.9","v1.17.1","v1.17.2","v1.17.3","v1.17.4","v1.18.0","v1.18.1","v1.18.2","v1.18.3","v1.18.4","v1.19.0","v1.19.1","v1.2.10","v1.2.11","v1.2.12","v1.2.14","v1.2.15","v1.2.16","v1.20.0","v1.21.0","v1.22.0","v1.22.1","v1.22.2","v1.22.3","v1.22.4","v1.23.0","v1.23.1","v1.23.2","v1.23.4","v1.24.0","v1.24.1","v1.24.11","v1.24.2","v1.24.3","v1.24.4","v1.24.5","v1.24.6","v1.24.7","v1.24.8","v1.25.0","v1.25.1","v1.26.0","v1.26.1","v1.26.2","v1.26.3","v1.26.4","v1.26.5","v1.27.0","v1.28.0","v1.29.0","v1.29.1","v1.29.2","v1.3.0","v1.3.1","v1.3.10","v1.3.11","v1.3.12","v1.3.13","v1.3.14","v1.3.15","v1.3.16","v1.3.17","v1.3.18","v1.3.19","v1.3.2","v1.3.20","v1.3.21","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.30.0","v1.30.1","v1.30.2","v1.30.3","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.5.4","v1.5.5","v1.5.6","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.6.5","v1.6.6","v1.6.7","v1.6.8","v1.6.9","v1.7.10","v1.7.11","v1.7.3","v1.7.4","v1.7.5","v1.7.6","v1.7.7","v1.7.8","v1.7.9","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.8.5","v1.8.6","v1.8.7","v1.8.8","v1.9.0","v1.9.1","v1.9.2","v1.9.3","v1.9.4","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.2.0","v2.2.1","v2.2.2","v2.2.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31882.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}