GHSA-6qr9-g2xw-cw92: Dagu affected by unauthenticated RCE via inline DAG spec in default configuration

February 19, 2026 (updated February 20, 2026)

Dagu’s default configuration ships with authentication disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default.

References

github.com/advisories/GHSA-6qr9-g2xw-cw92
github.com/dagu-org/dagu
github.com/dagu-org/dagu/security/advisories/GHSA-6qr9-g2xw-cw92

Code Behaviors & Features

Detect and mitigate GHSA-6qr9-g2xw-cw92 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →