GHSA-6QR9-G2XW-CW92: Dagu: The Friendly Ghost that Runs Your Malware (GHSA-6QR9-G2XW-CW92)

Dagu: The Friendly Ghost that Runs Your Malware (GHSA-6QR9-G2XW-CW92) Vulnerability ID: GHSA-6QR9-G2XW-CW92 CVSS Score: 9.8 Published: 2026-02-19 Dagu, a lightweight Go-based workflow engine often used as a cron alternative, inadvertently provided 'RCE as a Service' in its default configuration. By failing to enforce authentication on API endpoints that accept inline DAG definitions, it allowed any unauthenticated attacker to execute arbitrary shell commands on the host server via simple HTTP requests. TL;DR Critical RCE in Dagu workflow engine. Default configuration exposes API endpoints without auth. Attackers can POST a YAML file to execute arbitrary shell commands. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-306 Attack Vector : Network CVSS : 9.8 (Critical) Impact : Remote Code Execution Exploit Status : Functional PoC Authentication : None Required (Default) Affected Systems Dagu Workflow Engine Go-based DevOps tooling Dagu : < Feb 2026 Patch (Fixed in: Feb 2026 Release

GHSA-6QR9-G2XW-CW92: Dagu: The Friendly Ghost that Runs Your Malware (GHSA-6QR9-G2XW-CW92)

Related Articles

The Outbox Pattern: A Consistent Approach to Distributed Transactions

6o6 v1.1: Faster 6502-on-6502 virtualization for a C64/Apple II Apple-1 emulator

ChemBERTa-2: Towards Chemical Foundation Models

Test title

Legacy PC design misery

Related Articles

News
The Outbox Pattern: A Consistent Approach to Distributed Transactions
Medium Programming • 2d ago

News
6o6 v1.1: Faster 6502-on-6502 virtualization for a C64/Apple II Apple-1 emulator
Lobsters • 2d ago

News
ChemBERTa-2: Towards Chemical Foundation Models
Dev.to • 2d ago

News
Test title
Dev.to Tutorial • 2d ago

News
Legacy PC design misery
Lobsters • 2d ago