Dagu: The Friendly Ghost that Runs Your Malware (GHSA-6QR9-G2XW-CW92)

Vulnerability ID: GHSA-6QR9-G2XW-CW92
CVSS Score: 9.8
Published: 2026-02-19

Dagu, a lightweight Go-based workflow engine often used as a cron alternative, inadvertently provided 'RCE as a Service' in its default configuration. By failing to enforce authentication on API endpoints that accept inline DAG definitions, it allowed any unauthenticated attacker to execute arbitrary shell commands on the host server via simple HTTP requests.

TL;DR

Critical RCE in Dagu workflow engine. Default configuration exposes API endpoints without auth. Attackers can POST a YAML file to execute arbitrary shell commands.

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-306
• Attack Vector: Network
• CVSS: 9.8 (Critical)
• Impact: Remote Code Execution
• Exploit Status: Functional PoC
• Authentication: None Required (Default)

Affected Systems

• Dagu Workflow Engine
• Go-based DevOps tooling
• Dagu: < Feb 2026 Patch (Fixed in: Feb 2026 Release)

Code Analysis

Commit: e7d8f9a

Hardening API endpoints and enforcing authentication middleware

func (s *Server) Routes() {
-  r.Post("/api/v1/dags", s.handlePostDags)
+  r.Post("/api/v1/dags", authMiddleware(s.handlePostDags))

Exploit Details

• GitHub: Analysis of the source code reveals the direct mapping of API input to execution functions.

Mitigation Strategies

• Enable builtin authentication in Dagu configuration.
• Restrict network access to the Dagu API port (default 8080).
• Run Dagu as a non-privileged user.

Remediation Steps:

1. Edit config.yaml or dagu.yaml.
2. Set auth.mode to builtin.
3. Define a strong username and password.
4. Restart the Dagu service.
5. Verify that accessing the UI or API now returns 401 Unauthorized.

References

• Dagu Repository

Read the full report for GHSA-6QR9-G2XW-CW92 on our website for more details including interactive diagrams and full exploit analysis.