REPRO-2026-00106 CRITICAL RCE Verified

Dagu Unauthenticated RCE via Inline DAG Spec

github.com/dagu-org/dagu (go) Feb 20, 2026

Confidence HIGH

Reproduced in 18m 38s

Tool calls 153

Affected <= 1.30.3

What's the vulnerability?

Dagu's default configuration ships with authentication completely disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes shell commands immediately without authentication.

Root Cause Analysis

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00106

or pruva-verify GHSA-6qr9-g2xw-cw92

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00106/artifacts/repro/reproduction_steps.sh

Make executable

chmod +x reproduction_steps.sh

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

repro/rca_report.md6.3 KB

repro/reproduction_steps.sh4.0 KB

bundle/source.json6.1 KB

bundle/ticket.json10.6 KB

bundle/ticket.md4.1 KB

logs/dagu_fixed_server.log0.2 KB

logs/dagu_server.log1.5 KB

logs/dagu_variant_server.log2.3 KB

logs/docker_run.log0.2 KB

logs/exploit_response.log0.1 KB

logs/final_server.log1.4 KB

logs/variant_test.log0.2 KB

logs/verification.log0.0 KB