THREATOPS
THREAT OPSThreat News › [GHSA] GHSA-h4g2-xfmw-q2c9 (high) — Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset

[GHSA] GHSA-h4g2-xfmw-q2c9 (high) — Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset

lowgithub_advisoriesPublished 2026-07-10

GHSA-h4g2-xfmw-q2c9 Severity: high CVE: None

Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset

### Summary A Clauster instance bound to a **non-loopback** address (e.g. `0.0.0.0` or a LAN IP) can serve the entire dashboard and its API **without any authentication** — even when the operator has configured a password — if `auth.enabled` is left a

MITRE ATT&CK techniques

Original source: https://github.com/advisories/GHSA-h4g2-xfmw-q2c9