Dragonfly Manager Job API Allows Unauthenticated Access_CVE-2026-24124

8.9 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.

Basic Information

ID CVE-2026-24124

Source GitHub_M

Published Jan 22, 2026 at 22:20

Modified Jan 24, 2026 at 04:55

Affected Product

Vendor dragonflyoss

Product dragonfly

Version < 2.4.1-rc.1

Affected Versions dragonflyoss dragonfly < 2.4.1-rc.1

CWE Classification

CWE-306

References

{
    "lastseen": "",
    "description": "Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.",
    "published": "2026-01-22T22:20:20.820Z",
    "modified": "2026-01-24T04:55:23.182Z",
    "type": "cve",
    "title": "Dragonfly Manager Job API Allows Unauthenticated Access",
    "source": "GitHub_M",
    "references": "https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7\nhttps://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f",
    "id": "CVE-2026-24124",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "dragonflyoss dragonfly < 2.4.1-rc.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.9,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "dragonfly",
    "version": "< 2.4.1-rc.1",
    "vendor": "dragonflyoss",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}