What is CVE-2026-31882?

CVE-2026-31882 is a high-severity vulnerability in Dagu-org Dagu, classified under Missing Authentication for Critical Function. CVSS score: 7.5/10. Published 2026-03-13.

How severe is CVE-2026-31882?

High severity. CVSS v3 base score is 7.5 out of 10.

Auth bypass in Dagu-org Dagu

CVE-2026-31882

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. Thi…

Vulnerability class: Broken Authentication

EPSS: 0.002 (37.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Dagu-org Dagu — versions < 2.2.4

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp (x_refsource_CONFIRM)
https://github.com/dagu-org/dagu/pull/1752 (x_refsource_MISC)
https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775 (x_refsource_MISC)
https://github.com/dagu-org/dagu/releases/tag/v2.2.4 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-31882?: CVE-2026-31882 is a high-severity vulnerability in Dagu-org Dagu, classified under Missing Authentication for Critical Function. CVSS score: 7.5/10. Published 2026-03-13.
How severe is CVE-2026-31882?: High severity. CVSS v3 base score is 7.5 out of 10.