DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-H4G2-XFMW-Q2C9: GHSA-H4G2-XFMW-Q2C9: Missing Authentication Bypass in Clauster Configuration Validator

GHSA-H4G2-XFMW-Q2C9: Missing Authentication Bypass in Clauster Configuration Validator

Vulnerability ID: GHSA-H4G2-XFMW-Q2C9
CVSS Score: 8.7
Published: 2026-07-10

Clauster versions up to and including v0.2.1 suffer from an authentication bypass vulnerability. This issue occurs when Clauster is configured with an authentication method but the master auth.enabled key is omitted or set to false, allowing unauthenticated network access to administrative endpoints and arbitrary code execution through managed Claude Code bridges.

TL;DR

Clauster v0.2.1 and below allows a silent authentication bypass on non-loopback network bindings if the 'auth.enabled' configuration key is omitted, leading to remote code execution.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306
  • Attack Vector: Adjacent Network
  • CVSS v4 Score: 8.7
  • Exploit Status: PoC Available
  • Impact: Remote Code Execution (RCE)
  • Affected Component: Configuration Validator & Auth Guard

Affected Systems

  • Clauster
  • Clauster: <= 0.2.1 (Fixed in: v0.2.2)

Code Analysis

Commit: 84a3b81

Refactor validation to ensure auth.enabled is validated together with configured credentials before allowing non-loopback bindings.

Mitigation Strategies

  • Upgrade the clauster package to version v0.2.2 or higher.
  • Explicitly set auth.enabled to true in the configuration configuration file.
  • Restrict network bindings to the loopback interface (127.0.0.1).

Remediation Steps:

  1. Run 'pip install --upgrade clauster' or 'uv pip install --upgrade clauster' to update to v0.2.2.
  2. Inspect your configuration file (clauster.yml) and set auth.enabled: true.
  3. Regenerate secure password hashes using the 'clauster hash-password' utility.
  4. Restart the Clauster application daemon or container.

References


Read the full report for GHSA-H4G2-XFMW-Q2C9 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)