CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49254

lowcovered by 1 sourcefirst seen 2026-07-02
Summary The Dragonfly Manager exposes GET /api/v1/oauth and GET /api/v1/oauth/:id to unauthenticated clients. The response body deserializes the entire manager/models.Oauth struct, which includes the client_secret field. Any network-reachable attacker can read the OAuth client secrets configured for github or google providers, defeating the confidentiality guarantee of those secrets and enabling subsequent abuse against the connected identity providers. Affected versions github.com/dragonflyoss/dragonfly <= v2.4.3 (and current main at commit 46a8f1e). The vulnerable wiring is present back to the introduction of OAuth GET handlers and was not addressed by GHSA-j8hf-cp34-g4j7 / CVE-2026-24124, whose remediation only added jwt + rbac middleware to the /jobs group. Privilege required Unauthenticated. The only precondition is that an administrator has registered at least one OAuth provider via POST /api/v1/oauth (a one-time setup for tenants that enable GitHub / Google sign-in). Vulnerable code manager/router/router.go:134-140 (v2.4.3) — the /oauth group registration: // Oauth. oa := apiv1.Group("/oauth") oa.POST("", jwt.MiddlewareFunc(), rbac, h.CreateOauth) oa.DELETE(":id", jwt.MiddlewareFunc(), rbac, h.DestroyOauth) oa.PATCH(":id", jwt.MiddlewareFunc(), rbac, h.UpdateOauth) oa.GET(":id", h.GetOauth) oa.GET("", h.GetOauths) Note the asymmetry inside the same oa route group: POST, PATCH, and DELETE explicitly attach jwt.MiddlewareFunc(), rbac as per-route middleware, but the two GET handlers omit both. Compare with the sibling group three lines below at manager/router/router.go:143-148, the /clusters group: c := apiv1.Group("/clusters",

⚡ Watch CVE-2026-49254

Get an email if CVE-2026-49254 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-49254

CVE.org record

Embed the live status

CVE-2026-49254 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49254 status](https://www.csirts.com/badge/CVE-2026-49254)](https://www.csirts.com/cve/CVE-2026-49254)