Home / Vulnerability Intelligence / CVE-2026-31886

CVE-2026-31886 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 16, 2026

Dagu - Path Traversal

Published: March 13, 2026Updated: March 16, 2026Remote Exploitable

Overview

Dagu < 2.2.4 contains a path traversal caused by lack of validation on dagRunId in inline DAG execution endpoints, letting attackers delete arbitrary directories including /tmp, exploit requires crafted dagRunId input.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 8.3%(Probability of exploitation in next 30 days)

Impact

Attackers can delete arbitrary files/directories, causing denial of service and disruption of concurrent runs or entire system.

Mitigation

Update to version 2.2.4 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 14, 2026

🔴 CVE-2026-31886 - Critical (9.1) Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, the dagRunId request field accepted by the inline DAG execution endpoints is passed directly into filepath.Join to construct a temporary directory path without any forma... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31886/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-31886
Severity: Critical
CVSS Score: 9.1
Type: path_traversal
Status: unconfirmed
EPSS: 8.3%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

EPSS Score

8.3%Probability of exploitation in the next 30 days