High severityOSV Advisory· Published Jan 22, 2026· Updated Feb 26, 2026
Dragonfly Manager Job API Allows Unauthenticated Access
CVE-2026-24124
Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
d7y.io/dragonfly/v2Go | < 2.4.1 | 2.4.1 |
Affected products
3- Range: v1.4.9-2, v2.1.0, v2.1.0-beta.1, …
- ghsa-coords2 versions
< 2.4.1+ 1 more
- (no CPE)range: < 2.4.1
- (no CPE)range: < 0.0.20260205T172317-150000.1.146.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-j8hf-cp34-g4j7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24124ghsaADVISORY
- github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55fghsax_refsource_MISCWEB
- github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.