<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Clauster (&lt;= 0.2.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/clauster--0.2.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 20:41:30 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/clauster--0.2.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>Clauster Dashboard Unauthenticated Access Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-clauster-unauth-dashboard/</link><pubDate>Fri, 10 Jul 2026 20:41:30 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-clauster-unauth-dashboard/</guid><description>A Clauster instance deployed on a non-loopback address can be accessed unauthenticated, even if password protection is configured, due to auth.enabled defaulting to false. This allows an attacker with network access to gain full control of the dashboard, including listing projects, spawning remote-control bridges, editing files, reading logs, and cloning repositories, ultimately leading to remote code execution in project directories.</description><content:encoded><![CDATA[<p>A high-severity vulnerability (GHSA-h4g2-xfmw-q2c9) has been disclosed in Clauster, a project management and automation tool. Versions up to and including 0.2.1 are affected. The vulnerability allows an unauthenticated attacker with network access to gain full control over the Clauster dashboard and its API, even if the operator believes the instance is password-protected. This occurs when Clauster is bound to a non-loopback address (e.g., <code>0.0.0.0</code> or a local area network IP) and the <code>auth.enabled</code> configuration flag is left at its default <code>false</code> value. This misconfiguration bypasses all intended authentication checks, enabling an attacker to manipulate projects, execute arbitrary code via <code>claude remote-control</code> bridges, and potentially exfiltrate sensitive data. Docker deployments are particularly susceptible as the official image binds to <code>0.0.0.0</code> by default, and previous documentation did not explicitly advise setting <code>auth.enabled</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a Clauster instance exposed on a non-loopback network interface (e.g., <code>0.0.0.0</code> or a LAN IP).</li>
<li>Attacker sends an unauthenticated HTTP GET request to a sensitive API endpoint, such as <code>http://&lt;host&gt;:7621/api/instances</code>.</li>
<li>The Clauster instance responds with a <code>200 OK</code> status code and the requested data, effectively bypassing the intended authentication mechanism due to the <code>auth.enabled: false</code> misconfiguration.</li>
<li>Attacker gains full control over all Clauster dashboard functionalities, including listing projects, accessing project details, and manipulating configurations.</li>
<li>Attacker spawns <code>claude remote-control</code> bridges within targeted project directories on the Clauster host.</li>
<li>Attacker leverages the <code>claude remote-control</code> bridge to execute arbitrary Claude Code, achieving remote code execution (RCE) on the host system within the context of the project.</li>
<li>Attacker can then edit <code>CLAUDE.md</code>, read bridge logs, or clone configured repositories, leading to data exfiltration or further system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an unauthenticated attacker with network access to achieve full administrative control over the Clauster dashboard. This includes the ability to list projects, spawn and stop <code>claude remote-control</code> bridges, edit project files such as <code>CLAUDE.md</code>, read bridge logs, and clone repositories where configured. Critically, because <code>claude remote-control</code> bridges execute Claude Code against the host's project directories, this misconfiguration effectively grants the attacker remote code execution capabilities on the underlying system. This can lead to complete compromise of the host, data theft, and further network intrusion. Loopback deployments (<code>127.0.0.1</code>) are not affected by this specific vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update all Clauster instances to the latest patch release once available, as it will enforce stricter configuration validation to prevent this misconfiguration.</li>
<li>Apply the documented workaround by ensuring <code>auth.enabled: true</code> is explicitly set in your <code>clauster.yml</code> file or via the <code>CLAUSTER_AUTH_ENABLED=true</code> environment variable for all non-loopback deployments.</li>
<li>Verify that unauthenticated access to <code>http://&lt;host&gt;:7621/api/instances</code> returns a <code>401 Unauthorized</code> status code after applying the workaround.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>misconfiguration</category><category>remote-code-execution</category><category>vulnerability</category><category>web-application</category></item></channel></rss>