{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/clauster--0.2.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Clauster (\u003c= 0.2.1)"],"_cs_severities":["high"],"_cs_tags":["misconfiguration","remote-code-execution","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA high-severity vulnerability (GHSA-h4g2-xfmw-q2c9) has been disclosed in Clauster, a project management and automation tool. Versions up to and including 0.2.1 are affected. The vulnerability allows an unauthenticated attacker with network access to gain full control over the Clauster dashboard and its API, even if the operator believes the instance is password-protected. This occurs when Clauster is bound to a non-loopback address (e.g., \u003ccode\u003e0.0.0.0\u003c/code\u003e or a local area network IP) and the \u003ccode\u003eauth.enabled\u003c/code\u003e configuration flag is left at its default \u003ccode\u003efalse\u003c/code\u003e value. This misconfiguration bypasses all intended authentication checks, enabling an attacker to manipulate projects, execute arbitrary code via \u003ccode\u003eclaude remote-control\u003c/code\u003e bridges, and potentially exfiltrate sensitive data. Docker deployments are particularly susceptible as the official image binds to \u003ccode\u003e0.0.0.0\u003c/code\u003e by default, and previous documentation did not explicitly advise setting \u003ccode\u003eauth.enabled\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Clauster instance exposed on a non-loopback network interface (e.g., \u003ccode\u003e0.0.0.0\u003c/code\u003e or a LAN IP).\u003c/li\u003e\n\u003cli\u003eAttacker sends an unauthenticated HTTP GET request to a sensitive API endpoint, such as \u003ccode\u003ehttp://\u0026lt;host\u0026gt;:7621/api/instances\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Clauster instance responds with a \u003ccode\u003e200 OK\u003c/code\u003e status code and the requested data, effectively bypassing the intended authentication mechanism due to the \u003ccode\u003eauth.enabled: false\u003c/code\u003e misconfiguration.\u003c/li\u003e\n\u003cli\u003eAttacker gains full control over all Clauster dashboard functionalities, including listing projects, accessing project details, and manipulating configurations.\u003c/li\u003e\n\u003cli\u003eAttacker spawns \u003ccode\u003eclaude remote-control\u003c/code\u003e bridges within targeted project directories on the Clauster host.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the \u003ccode\u003eclaude remote-control\u003c/code\u003e bridge to execute arbitrary Claude Code, achieving remote code execution (RCE) on the host system within the context of the project.\u003c/li\u003e\n\u003cli\u003eAttacker can then edit \u003ccode\u003eCLAUDE.md\u003c/code\u003e, read bridge logs, or clone configured repositories, leading to data exfiltration or further system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker with network access to achieve full administrative control over the Clauster dashboard. This includes the ability to list projects, spawn and stop \u003ccode\u003eclaude remote-control\u003c/code\u003e bridges, edit project files such as \u003ccode\u003eCLAUDE.md\u003c/code\u003e, read bridge logs, and clone repositories where configured. Critically, because \u003ccode\u003eclaude remote-control\u003c/code\u003e bridges execute Claude Code against the host's project directories, this misconfiguration effectively grants the attacker remote code execution capabilities on the underlying system. This can lead to complete compromise of the host, data theft, and further network intrusion. Loopback deployments (\u003ccode\u003e127.0.0.1\u003c/code\u003e) are not affected by this specific vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update all Clauster instances to the latest patch release once available, as it will enforce stricter configuration validation to prevent this misconfiguration.\u003c/li\u003e\n\u003cli\u003eApply the documented workaround by ensuring \u003ccode\u003eauth.enabled: true\u003c/code\u003e is explicitly set in your \u003ccode\u003eclauster.yml\u003c/code\u003e file or via the \u003ccode\u003eCLAUSTER_AUTH_ENABLED=true\u003c/code\u003e environment variable for all non-loopback deployments.\u003c/li\u003e\n\u003cli\u003eVerify that unauthenticated access to \u003ccode\u003ehttp://\u0026lt;host\u0026gt;:7621/api/instances\u003c/code\u003e returns a \u003ccode\u003e401 Unauthorized\u003c/code\u003e status code after applying the workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T20:41:30Z","date_published":"2026-07-10T20:41:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-clauster-unauth-dashboard/","summary":"A Clauster instance deployed on a non-loopback address can be accessed unauthenticated, even if password protection is configured, due to auth.enabled defaulting to false. This allows an attacker with network access to gain full control of the dashboard, including listing projects, spawning remote-control bridges, editing files, reading logs, and cloning repositories, ultimately leading to remote code execution in project directories.","title":"Clauster Dashboard Unauthenticated Access Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-clauster-unauth-dashboard/"}],"language":"en","title":"CraftedSignal Threat Feed - Clauster (\u003c= 0.2.1)","version":"https://jsonfeed.org/version/1.1"}