Product
A Clauster instance deployed on a non-loopback address can be accessed unauthenticated, even if password protection is configured, due to auth.enabled defaulting to false. This allows an attacker with network access to gain full control of the dashboard, including listing projects, spawning remote-control bridges, editing files, reading logs, and cloning repositories, ultimately leading to remote code execution in project directories.