REPRO-2026-00106 CRITICAL RCE Verified

Dagu Unauthenticated RCE via Inline DAG Spec

github.com/dagu-org/dagu (go) Feb 20, 2026

Open in Codespaces Download Script

Confidence HIGH

Reproduced in 18m 38s

Spend $0.77

Tool calls 153

Affected <= 1.30.3

What's the vulnerability?

Dagu's default configuration ships with authentication completely disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes shell commands immediately without authentication.

Root Cause Analysis

Dagu's default configuration ships with authentication completely disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes shell commands immediately without authentication.

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00106

or pruva-verify GHSA-6qr9-g2xw-cw92

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00106/artifacts/reproduction_steps.sh

Make executable

chmod +x reproduction_steps.sh

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

No artifacts available