Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all…

CVE-2026-31882 affects Dagu workflow engine versions prior to 2.2.4. When configured with HTTP Basic authentication, all Server-Sent Events (SSE) endpoints are accessible without credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status, effectively bypassing REST API authentication. The vulnerability stems from the buildStreamAuthOptions() function setting BasicAuthEnabled to true but leaving AuthRequired as false. The issue is fixed in version 2.2.4.