Dagu is a workflow engine with a web interface that prior to version 2.2.4 contains a critical path traversal vulnerability (CVE-2026-31886) classified under CWE-22. The vulnerability stems from improper validation of the dagRunId request parameter used in inline DAG execution endpoints. This parameter is passed directly into Go's filepath.Join function to construct a temporary directory path. Since filepath.Join resolves '..' segments lexically, an attacker can supply a value such as ".." to traverse outside the intended directory structure (/tmp/<name>/<id>). A deferred cleanup function then calls os.RemoveAll on the resolved path unconditionally when the HTTP handler completes. If dagRunId is "..", the resolved path becomes the system temporary directory (/tmp on Linux). On deployments running as non-root users, os.RemoveAll("/tmp") deletes all files in /tmp owned by the dagu process user, disrupting all concurrent dagu runs relying on temporary files. On root or Docker container deployments, this results in the deletion of the entire /tmp directory contents, causing a system-wide denial of service. The vulnerability requires low attack complexity and no user interaction but does require some privileges (PR:L). The scope is complete as it affects confidentiality, integrity, and availability, primarily availability due to denial of service. The vulnerability was publicly disclosed on March 13, 2026, with a CVSS v3.1 score of 9.1 (critical). The issue is resolved in dagu version 2.2.4.

The impact of CVE-2026-31886 is significant for organizations using dagu workflow engine versions prior to 2.2.4. Exploitation can lead to widespread denial of service by deleting critical temporary files or the entire /tmp directory, which many Linux-based systems and applications rely on for temporary storage. On non-root deployments, this disrupts all concurrent dagu runs, causing workflow failures and potential data loss in temporary processing. On root or containerized deployments, the deletion of /tmp can affect multiple system services and applications beyond dagu, potentially causing system instability or crashes. This can result in operational downtime, loss of productivity, and increased recovery costs. Although confidentiality and integrity impacts are limited, the availability impact is severe and can affect business continuity. The vulnerability can be exploited remotely with low complexity, increasing the risk of automated or widespread attacks. Organizations running dagu in critical environments, especially those using root or containerized deployments, face elevated risk of system-wide disruption.

To mitigate CVE-2026-31886, organizations should immediately upgrade dagu to version 2.2.4 or later, where the vulnerability is fixed. If upgrading is not immediately possible, implement strict input validation and sanitization on the dagRunId parameter to prevent path traversal sequences such as '..'. Employ application-layer filtering or web application firewalls (WAFs) to detect and block malicious requests attempting directory traversal. Run dagu with the least privilege possible, avoiding root or overly permissive container configurations to limit the scope of damage if exploited. Regularly monitor logs for unusual deletion activity or errors related to temporary directories. Implement file system protections such as immutable flags or access control lists (ACLs) on critical directories like /tmp to prevent unauthorized deletions. Finally, conduct thorough testing of workflow engine endpoints to ensure no other parameters allow similar traversal or destructive operations.