CVE-2026-27598

HIGH SEVERITY

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N                                    

Vulnerability Description

Dagu is a workflow engine with a built-in Web user interface. In versions up to and including 1.16.7, the `CreateNewDAG` API endpoint (`POST /api/v1/dags`) does not validate the DAG name before passing it to the file store. An authenticated user with DAG write permissions can write arbitrary YAML files anywhere on the filesystem (limited by the process permissions). Since dagu executes DAG files as shell commands, writing a malicious DAG to the DAGs directory of another instance or overwriting config files can lead to remote code execution. Commit e2ed589105d79273e4e6ac8eb31525f765bb3ce4 fixes the issue.

Vulnerability Details

Published Date

February 24, 2026

Last Modified

February 26, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

Product

github.com/dagu-org/dagu

External References

https://github.com/dagu-org/dagu/security/advisories/GHSA-6v48-fcq6-ff23
https://github.com/dagu-org/dagu/commit/e2ed589105d79273e4e6ac8eb31525f765bb3ce4
https://github.com/advisories/GHSA-6v48-fcq6-ff23

CVE-2026-27598

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment