CVE-2026-24124CRITICAL 9.8EPSS p48.8%

CVE-2026-24124CVE-2026-24124

Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.71% probability of exploitation · percentile 48.8% · 2026-06-19T12:03:05Z
Published2026-01-22
Last modified2026-02-26

Underlying weaknesses· 1

CWE-306

References

  1. https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f
  2. https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-59345
CVE
CVE-2025-59352
CVE
CVE-2026-2096
CVE
CVE-2026-0545
CVE
CVE-2026-26016
CVE
CVE-2026-2095
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.