GHSA-6V48-FCQ6-FF23
Vulnerability from github – Published: 2026-02-24 21:43 – Updated: 2026-02-24 21:43The CreateNewDAG API endpoint (POST /api/v1/dags) does not validate the DAG name before passing it to the file store. While RenameDAG calls core.ValidateDAGName() to reject names containing path separators (line 273 in dags.go), CreateNewDAG skips this validation entirely and passes user input directly to dagStore.Create().
In internal/persis/filedag/store.go, the generateFilePath function (line 493) checks if the name contains a path separator, and if so, resolves it via filepath.Abs(name) — completely ignoring the baseDir. This means a name like ../../tmp/pwned will write a file to /tmp/pwned.yaml instead of the DAGs directory.
Affected code:
internal/service/frontend/api/v1/dags.go line 120-170 — CreateNewDAG handler, no call to ValidateDAGName
internal/persis/filedag/store.go line 493-498 — generateFilePath resolves absolute path when name contains separator
internal/persis/filedag/store.go line 213 — Create calls generateFilePath and writes attacker-controlled YAML content to the resolved path
PoC:
curl -X POST http://localhost:8080/api/v1/dags \
-H "Content-Type: application/json" \
-d '{
"name": "../../tmp/path-traversal-proof",
"spec": "steps:\n - command: id > /tmp/pwned\n"
}'
After this request, a file /tmp/path-traversal-proof.yaml will be created with the attacker-supplied content. The file will be written with the permissions of the dagu process.
An authenticated user with DAG write permissions can write arbitrary YAML files anywhere on the filesystem (limited by the process permissions). Since dagu executes DAG files as shell commands, writing a malicious DAG to the DAGs directory of another instance or overwriting config files can lead to remote code execution.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/dagu-org/dagu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.16.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27598"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-24T21:43:15Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The `CreateNewDAG` API endpoint (`POST /api/v1/dags`) does not validate the DAG name before passing it to the file store. While `RenameDAG` calls `core.ValidateDAGName()` to reject names containing path separators (line 273 in `dags.go`), `CreateNewDAG` skips this validation entirely and passes user input directly to `dagStore.Create()`.\n\nIn `internal/persis/filedag/store.go`, the `generateFilePath` function (line 493) checks if the name contains a path separator, and if so, resolves it via `filepath.Abs(name)` \u2014 completely ignoring the `baseDir`. This means a name like `../../tmp/pwned` will write a file to `/tmp/pwned.yaml` instead of the DAGs directory.\n\n**Affected code:**\n\n`internal/service/frontend/api/v1/dags.go` line 120-170 \u2014 `CreateNewDAG` handler, no call to `ValidateDAGName`\n\n`internal/persis/filedag/store.go` line 493-498 \u2014 `generateFilePath` resolves absolute path when name contains separator\n\n`internal/persis/filedag/store.go` line 213 \u2014 `Create` calls `generateFilePath` and writes attacker-controlled YAML content to the resolved path\n\n**PoC:**\n\n```\ncurl -X POST http://localhost:8080/api/v1/dags \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\n \"name\": \"../../tmp/path-traversal-proof\",\n \"spec\": \"steps:\\n - command: id \u003e /tmp/pwned\\n\"\n }\u0027\n```\n\nAfter this request, a file `/tmp/path-traversal-proof.yaml` will be created with the attacker-supplied content. The file will be written with the permissions of the dagu process.\n\nAn authenticated user with DAG write permissions can write arbitrary YAML files anywhere on the filesystem (limited by the process permissions). Since dagu executes DAG files as shell commands, writing a malicious DAG to the DAGs directory of another instance or overwriting config files can lead to remote code execution.",
"id": "GHSA-6v48-fcq6-ff23",
"modified": "2026-02-24T21:43:15Z",
"published": "2026-02-24T21:43:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-6v48-fcq6-ff23"
},
{
"type": "WEB",
"url": "https://github.com/dagu-org/dagu/commit/e2ed589105d79273e4e6ac8eb31525f765bb3ce4"
},
{
"type": "PACKAGE",
"url": "https://github.com/dagu-org/dagu"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Dagu: Path traversal in DAG creation allows arbitrary YAML file write outside DAGs directory"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.