Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset

0
High
Published: 07/10/2026 (07/10/2026, 20:37:23 UTC)
Source: GCVE Database
Product: clauster

Description

Clauster versions prior to 0.2.2 that are bound to a non-loopback address and have authentication password or reverse proxy enabled but leave auth.enabled unset (default false) serve the dashboard and API without any authentication. This allows unauthenticated network attackers full control over the dashboard, including project listing, spawning/stopping remote-control bridges, editing files, reading logs, and cloning repositories. Loopback-only deployments are not affected. A patch is planned to enforce authentication validation strictly. Workarounds include setting auth.enabled to true or binding to loopback only.

CVSS v4.0

Attack Vector
Adjacent Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
High
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected software

PyPIghsa
clauster
Affected versions
<0.2.2

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:48:45 UTC

Technical Analysis

A vulnerability in Clauster (≤0.2.1) occurs when the instance is bound to a non-loopback address and authentication is partially configured (password or reverse proxy enabled) but the auth.enabled flag remains false (default). The runtime authentication guard only enforces authentication if auth.enabled is true, otherwise it allows all requests unauthenticated. The configuration validator does not require auth.enabled to be true when password or reverse proxy authentication is set, resulting in a misconfiguration that exposes the dashboard and API without authentication. This enables unauthenticated attackers with network access to fully control the dashboard and execute code remotely via Claude Code bridges. Loopback-only deployments are unaffected. A patch release will enforce fail-closed validation requiring auth.enabled to be true for non-loopback binds with authentication settings. Documentation and Docker defaults have been updated accordingly.

Potential Impact

Unauthenticated attackers with network access to a Clauster instance bound to a non-loopback address and misconfigured authentication can gain full control over the dashboard and API. They can list projects, spawn or stop remote-control bridges that execute code in project directories, edit files, read logs, and clone repositories. This effectively allows remote code execution within the context of the project directories. Loopback-only deployments are not impacted. The vulnerability arises from a configuration validation flaw combined with runtime enforcement logic.

Mitigation Recommendations

A patch release is planned that will enforce strict configuration validation requiring auth.enabled to be true when authentication is configured on non-loopback binds. Until the patch is available, operators should explicitly set auth.enabled: true in their configuration alongside existing auth.password_required and password hash or reverse proxy settings. Alternatively, bind Clauster to the loopback interface only and access it through an SSH tunnel or trusted authenticating reverse proxy. The updated documentation and Docker usage instructions reflect these mitigations.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-h4g2-xfmw-q2c9
Osv Schema Version
1.4.0
Aliases
[]
Ecosystems
["PyPI"]
Database Specific Severity
HIGH
Cvss Version
4.0

Threat ID: 6a520eb168715ace438f4ff3

Added to database: 07/11/2026, 09:36:49 UTC

Last enriched: 07/11/2026, 09:48:45 UTC

Last updated: 07/12/2026, 03:33:10 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses