CVE-2026-33344 is a path traversal vulnerability classified under CWE-22 affecting the dagu workflow engine, specifically versions from 2.0.0 up to but not including 2.3.1. Dagu provides a web user interface to manage Directed Acyclic Graphs (DAGs) for workflow orchestration. Previously, a fix for CVE-2026-27598 addressed path traversal in the CREATE operation by adding a ValidateDAGName function and sanitizing file paths using filepath.Base. However, this fix was incomplete because other API endpoints—GET, DELETE, RENAME, and EXECUTE—continued to accept the {fileName} URL parameter without invoking ValidateDAGName. This oversight allows attackers to supply %2F-encoded forward slashes within the {fileName} parameter, effectively bypassing directory restrictions and enabling traversal outside the designated DAGs directory. Exploiting this vulnerability can allow an attacker with network access and low privileges to read, rename, delete, or execute files outside the intended scope, compromising confidentiality and integrity of the system. The vulnerability does not require user interaction and has a CVSS 3.1 base score of 8.1, indicating high severity. The issue was addressed in dagu version 2.3.1 by extending validation to all relevant API endpoints, ensuring that path traversal attempts are blocked. No known exploits are currently reported in the wild, but the risk remains significant due to the ease of exploitation and potential impact on critical workflow files.

The vulnerability allows unauthorized directory traversal, enabling attackers to access, modify, or execute files outside the intended DAGs directory. This can lead to disclosure of sensitive information, tampering with workflow definitions, or execution of arbitrary code if executable files are accessible. For organizations relying on dagu for workflow automation, this could disrupt business processes, cause data breaches, or facilitate further compromise of internal systems. Since the vulnerability requires only low privileges and no user interaction, it can be exploited remotely by authenticated users or potentially by attackers who gain limited access. The impact is particularly severe in environments where dagu is exposed to untrusted networks or integrated with critical infrastructure. The lack of known exploits in the wild suggests limited active exploitation so far, but the high CVSS score and straightforward exploitation method indicate a strong potential for damage if left unpatched.

Organizations should immediately upgrade dagu to version 2.3.1 or later, where the vulnerability is fully patched. Until upgrade is possible, restrict network access to the dagu web interface using firewalls or VPNs to limit exposure to trusted users only. Implement strict authentication and authorization controls to minimize the risk of unauthorized access. Conduct a thorough audit of existing DAG files and related directories to detect any unauthorized modifications or suspicious activity. Monitor logs for unusual API requests containing encoded path traversal sequences such as %2F. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the {fileName} parameter. Educate administrators and developers about secure coding practices, emphasizing consistent input validation across all API endpoints. Finally, integrate vulnerability scanning and penetration testing into the development lifecycle to detect similar issues proactively.