CVE-2026-33344: Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG

March 19, 2026

The fix for CVE-2026-27598 (commit e2ed589, PR #1691) added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory.

References

github.com/advisories/GHSA-ph8x-4jfv-v9v8
github.com/dagu-org/dagu
github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb
github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8
nvd.nist.gov/vuln/detail/CVE-2026-33344

Code Behaviors & Features

Detect and mitigate CVE-2026-33344 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →