High severityNVD Advisory· Published Mar 24, 2026· Updated Mar 24, 2026
Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG
CVE-2026-33344
Description
Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dagu-org/daguGo | >= 1.30.4-0.20260221021317-e2ed589105d7, < 1.30.4-0.20260319093346-7d07fda8f9de | 1.30.4-0.20260319093346-7d07fda8f9de |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/dagu-org/dagupkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 1.30.4-0.20260221021317-e2ed589105d7, < 1.30.4-0.20260319093346-7d07fda8f9de+ 1 more
- (no CPE)range: >= 1.30.4-0.20260221021317-e2ed589105d7, < 1.30.4-0.20260319093346-7d07fda8f9de
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-ph8x-4jfv-v9v8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33344ghsaADVISORY
- github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bbghsax_refsource_MISCWEB
- github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.