← Volver a CVEs
CVE-2026-24124
CRITICAL9.8
Descripcion
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.
Detalles CVE
Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado1/22/2026
Ultima modificacion2/26/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
linuxfoundation:dragonfly
Debilidades (CWE)
CWE-306
Referencias
https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f(security-advisories@github.com)
https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.