CVE-2026-24124
📋 TL;DR
Dragonfly versions 2.4.1-rc.0 and below have missing authentication and authorization checks on Job API endpoints, allowing unauthenticated users with network access to the Manager API to view, modify, and delete jobs. This affects all Dragonfly deployments using vulnerable versions. The vulnerability stems from improper access control implementation.
💻 Affected Systems
- Dragonfly
📦 What is this software?
Dragonfly by Linuxfoundation
Dragonfly by Linuxfoundation
Dragonfly by Linuxfoundation
Dragonfly by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete all job data, disrupt file distribution operations, or manipulate job configurations to redirect traffic to malicious endpoints.
Likely Case
Unauthorized users viewing sensitive job information, modifying job parameters, or deleting individual jobs causing service disruption.
If Mitigated
If proper network segmentation and API gateway controls exist, impact is limited to authorized internal users only.
🎯 Exploit Status
Exploitation requires only HTTP requests to /api/v1/jobs endpoints. No special tools or knowledge needed beyond basic HTTP client usage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.1-rc.1
Vendor Advisory: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop Dragonfly services. 3. Update to version 2.4.1-rc.1 or later. 4. Restart Dragonfly services. 5. Verify API endpoints now require authentication.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Dragonfly Manager API endpoints using firewall rules or network segmentation.
iptables -A INPUT -p tcp --dport [MANAGER_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [MANAGER_PORT] -j DROP
Reverse Proxy Authentication
allPlace a reverse proxy (nginx, Apache) in front of Dragonfly Manager API with authentication requirements.
# Configure nginx with auth_basic and appropriate ACLs
🧯 If You Can't Patch
- Implement strict network access controls to limit Manager API access to trusted IPs only
- Deploy API gateway or WAF with authentication requirements for /api/v1/jobs endpoints
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to http://[manager_host]:[port]/api/v1/jobs without authentication. If it returns job data (200 OK), system is vulnerable.Check Version:
docker exec [dragonfly_container] dragonfly --version || check deployment manifest for versionVerify Fix Applied:
Attempt same unauthenticated request after patch. Should receive 401 Unauthorized or 403 Forbidden response.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /api/v1/jobs endpoints
- Multiple failed authentication attempts followed by successful job API access
Network Indicators:
- Unusual volume of requests to job API from unauthorized sources
- Job modification requests without authentication headers
SIEM Query:
source="dragonfly" AND (uri_path="/api/v1/jobs" AND NOT auth_token=*)