CVE-2026-24124

CRITICAL

Dragonfly <2.4.1-rc.0 - Info Disclosure

Title source: llm

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.

References (2)

[Patch] https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7

Scores

CVSS v3 9.8

EPSS 0.0011

EPSS Percentile 29.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-306

Status published

Affected Products (5)

dragonfly/v2 < 2.4.1Go

linuxfoundation/dragonfly < 2.4.1

linuxfoundation/dragonfly

Timeline

Published Jan 22, 2026

Tracked Since Feb 18, 2026