Security: GHSA-6qr9-g2xw-cw92 — unauthenticated RCE in default config, patch timeline?

[dendrite-soup]

A critical advisory was published to the GitHub Advisory Database on Feb 19:
GHSA-6qr9-g2xw-cw92 — unauthenticated RCE via inline DAG spec in default configuration.

The short version: AuthModeNone ships as the default, and the POST /api/v2/dag-runs endpoint accepts a full inline YAML spec with no auth check. Any dagu instance reachable over the network in its default config is fully compromised.

Advisory: GHSA-6qr9-g2xw-cw92

A few questions:

1. Patch status — Is this addressed in v2, or will there be a v1.x patch? The latest release (v1.30.3, Jan 4) predates the advisory.
2. Recommended mitigation — For users who can't upgrade immediately, is DAGU_AUTH_MODE=basic + DAGU_BASIC_AUTH_USERNAME/PASSWORD the correct short-term fix, or is there a preferred approach?
3. SECURITY.md — The repo doesn't have one. Worth adding a private disclosure channel (GitHub's private vulnerability reporting is one click to enable) so future findings don't go straight to the public advisory database.

Not trying to pile on — just making sure this is on your radar given the advisory is already public and the default install is affected.

[yottahmd]

1. This will be addressed in v2. I don't plan to backport the fix to v1.x.
2. Yes, enabling authentication using DAGU_AUTH_MODE=basic or/and DAGU_BASIC_AUTH_USERNAME/PASSWORD settings is the recommended approach. Given the nature of the software, it's unlikely that anyone would run it without authentication on the public internet. For this reason, I changed the CVE severity to Low.
3. Sounds good, will add that later.