# REPRO-2026-00106: Dagu Unauthenticated RCE via Inline DAG Spec

## Summary
Status: published
Severity: critical
Type: security
Confidence: Unknown

## Identifiers
REPRO ID: REPRO-2026-00106
GHSA: GHSA-6qr9-g2xw-cw92


## Package
Name: github.com/dagu-org/dagu
Ecosystem: go
Affected: <= 1.30.3
Fixed: Unknown

## Root Cause
Dagu's default configuration ships with authentication completely disabled. The POST /api/v2/dag-runs endpoint accepts an inline YAML spec and executes shell commands immediately without authentication.

## Reproduction Details
Reproduced: 2026-02-20T15:03:08.495Z
Duration: 1118 seconds
Tool calls: 153
Turns: 112
Handoffs: 2


## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00106
    pruva-verify GHSA-6qr9-g2xw-cw92


Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00106&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00106/artifacts/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References
- GitHub Advisory: https://github.com/advisories/GHSA-6qr9-g2xw-cw92



## Artifacts
- repro/rca_report.md (analysis, 6444 bytes)
- repro/reproduction_steps.sh (reproduction_script, 4088 bytes)
- bundle/source.json (other, 6255 bytes)
- bundle/ticket.json (other, 10897 bytes)
- bundle/ticket.md (ticket, 4150 bytes)
- logs/dagu_fixed_server.log (log, 155 bytes)
- logs/dagu_server.log (log, 1580 bytes)
- logs/dagu_variant_server.log (log, 2328 bytes)
- logs/docker_run.log (log, 194 bytes)
- logs/exploit_response.log (log, 52 bytes)
- logs/final_server.log (log, 1407 bytes)
- logs/variant_test.log (log, 192 bytes)
- logs/verification.log (log, 29 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00106
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00106/artifacts/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00106

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev