The default node configuration includes a hardcoded BASE_NODE_L2_ENGINE_AUTH_RAW value. The Reth entrypoint writes this value into the JWT file used by --authrpc.jwtsecret, while also starting authrpc on 0.0.0.0.
This means every node using the default configuration shares the same Engine API JWT secret.
Although docker-compose.yml does not publish port 8551 by default, this is still a dangerous default for operators using host networking, Kubernetes, custom compose files, manual port mappings, or shared Docker networks. If authrpc becomes reachable, the JWT secret is already public because it is committed in the repository.
The default node configuration includes a hardcoded BASE_NODE_L2_ENGINE_AUTH_RAW value. The Reth entrypoint writes this value into the JWT file used by --authrpc.jwtsecret, while also starting authrpc on 0.0.0.0.
This means every node using the default configuration shares the same Engine API JWT secret.
Although docker-compose.yml does not publish port 8551 by default, this is still a dangerous default for operators using host networking, Kubernetes, custom compose files, manual port mappings, or shared Docker networks. If authrpc becomes reachable, the JWT secret is already public because it is committed in the repository.