CVE-2026-49254
Summary
The Dragonfly Manager exposes GET /api/v1/oauth and GET /api/v1/oauth/:id to unauthenticated clients. The response body deserializes the entire manager/models.Oauth struct, which includes the client_secret field. Any network-reachable attacker can read the OAuth client secrets configured for github or google providers, defeating the confidentiality guarantee of those secrets and enabling subsequent abuse against the connected identity providers.
Affected versions
github.com/dragonflyoss/dragonfly <= v2.4.3 (and current main at commit 46a8f1e). The vulnerable wiring is present back to the introduction of OAuth GET handlers and was not addressed by GHSA-j8hf-cp34-g4j7 / CVE-2026-24124, whose remediation only added jwt + rbac middleware to the /jobs group.
Privilege required
Unauthenticated. The only precondition is that an administrator has registered at least one OAuth provider via POST /api/v1/oauth (a one-time setup for tenants that enable GitHub / Google sign-in).
Vulnerable code
manager/router/router.go:134-140 (v2.4.3) — the /oauth group registration:
// Oauth.
oa := apiv1.Group("/oauth")
oa.POST("", jwt.MiddlewareFunc(), rbac, h.CreateOauth)
oa.DELETE(":id", jwt.MiddlewareFunc(), rbac, h.DestroyOauth)
oa.PATCH(":id", jwt.MiddlewareFunc(), rbac, h.UpdateOauth)
oa.GET(":id", h.GetOauth)
oa.GET("", h.GetOauths)
Note the asymmetry inside the same oa route group: POST, PATCH, and DELETE explicitly attach jwt.MiddlewareFunc(), rbac as per-route middleware, but the two GET handlers omit both. Compare with the sibling group three lines below at manager/router/router.go:143-148, the /clusters group:
c := apiv1.Group("/clusters",
⚡ Watch CVE-2026-49254
Get an email if CVE-2026-49254 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-49254)