CVE-2026-24124

UNKNOWN 0.0

Dragonfly Manager Job API Allows Unauthenticated Access

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.

CWE	CWE-306
Vendor	dragonflyoss
Product	dragonfly
Published	Jan 22, 2026
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for dragonflyoss dragonfly

Be the first to know when new unknown vulnerabilities affecting dragonflyoss dragonfly are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

dragonflyoss / dragonfly

< 2.4.1-rc.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7 github.com: https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f