The vulnerability CVE-2026-31882 affects dagu-org's 'dagu' workflow engine prior to version 2.2.4. Dagu provides a web-based interface and supports HTTP Basic authentication to protect its REST API endpoints. However, the Server-Sent Events (SSE) endpoints, which stream real-time workflow execution data, were not properly secured. Specifically, the function buildStreamAuthOptions() sets BasicAuthEnabled to true but leaves AuthRequired as false (the Go language zero value). The authentication middleware checks AuthRequired and allows unauthenticated requests if it is false. Consequently, attackers can access SSE endpoints without credentials, bypassing authentication. This grants access to sensitive information such as live DAG execution data, workflow configurations, execution logs, and queue status. The vulnerability stems from a logic flaw in the authentication middleware and configuration handling for SSE endpoints. It does not affect other REST API endpoints protected by Basic authentication. The issue was addressed in version 2.2.4 by ensuring that SSE endpoints require authentication when Basic auth mode is enabled. The CVSS v3.1 score is 7.5 (high), reflecting the ease of remote exploitation without privileges or user interaction and the high confidentiality impact. No known exploits are reported in the wild yet.

This vulnerability allows unauthenticated attackers to bypass authentication controls and access sensitive real-time operational data of workflows managed by dagu. Exposure of DAG execution data, workflow configurations, logs, and queue status can lead to significant information disclosure, enabling attackers to understand internal processes, identify potential weaknesses, or prepare further targeted attacks. Although the vulnerability does not allow modification or disruption of services, the confidentiality breach can compromise organizational security posture, especially in environments where workflows handle sensitive or critical operations. Organizations relying on dagu for workflow automation may face risks of intellectual property theft, operational insight leakage, or compliance violations. The impact is amplified in sectors where workflow data is sensitive, such as finance, healthcare, or critical infrastructure. Since exploitation requires no authentication or user interaction and can be performed remotely, the attack surface is broad for exposed instances.

The primary mitigation is to upgrade dagu to version 2.2.4 or later, where the authentication enforcement on SSE endpoints is corrected. Until upgrade is possible, organizations should consider the following specific measures: 1) Restrict network access to dagu instances by limiting exposure of SSE endpoints through firewall rules or network segmentation, allowing only trusted internal users. 2) Disable HTTP Basic authentication mode if feasible, or switch to more secure authentication mechanisms supported by dagu. 3) Monitor network traffic for unauthorized access attempts to SSE endpoints and audit logs for unusual activity. 4) Implement web application firewalls (WAFs) with rules to detect and block unauthenticated SSE endpoint access patterns. 5) Review and minimize sensitive data exposed via SSE streams to reduce impact if accessed. 6) Conduct security assessments to identify any exploitation attempts and validate that no further vulnerabilities exist in the deployment. These targeted mitigations complement the essential patching step to fully remediate the risk.