GHSA-H4G2-XFMW-Q2C9: Missing Authentication Bypass in Clauster Configuration Validator
Vulnerability ID: GHSA-H4G2-XFMW-Q2C9
CVSS Score: 8.7
Published: 2026-07-10
Clauster versions up to and including v0.2.1 suffer from an authentication bypass vulnerability. This issue occurs when Clauster is configured with an authentication method but the master auth.enabled key is omitted or set to false, allowing unauthenticated network access to administrative endpoints and arbitrary code execution through managed Claude Code bridges.
TL;DR
Clauster v0.2.1 and below allows a silent authentication bypass on non-loopback network bindings if the 'auth.enabled' configuration key is omitted, leading to remote code execution.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-306
- Attack Vector: Adjacent Network
- CVSS v4 Score: 8.7
- Exploit Status: PoC Available
- Impact: Remote Code Execution (RCE)
- Affected Component: Configuration Validator & Auth Guard
Affected Systems
- Clauster
-
Clauster: <= 0.2.1 (Fixed in:
v0.2.2)
Code Analysis
Commit: 84a3b81
Refactor validation to ensure auth.enabled is validated together with configured credentials before allowing non-loopback bindings.
Mitigation Strategies
- Upgrade the clauster package to version v0.2.2 or higher.
- Explicitly set auth.enabled to true in the configuration configuration file.
- Restrict network bindings to the loopback interface (127.0.0.1).
Remediation Steps:
- Run 'pip install --upgrade clauster' or 'uv pip install --upgrade clauster' to update to v0.2.2.
- Inspect your configuration file (clauster.yml) and set auth.enabled: true.
- Regenerate secure password hashes using the 'clauster hash-password' utility.
- Restart the Clauster application daemon or container.
References
Read the full report for GHSA-H4G2-XFMW-Q2C9 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)