CVE-2026-24124 HIGH

CVE-2026-24124: Dragonfly Manager Job API Allows Unauthenticated Access

Vendor Dragonflyoss
Product dragonfly
Weakness CWE-306 · Missing auth
Published January 22, 2026
Last update February 26, 2026

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.

Key dates

02Disclosure timeline

January 22, 2026 CVE published
February 26, 2026 Record updated

Related vulnerabilities

04Related CVE