You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a security release. A non-loopback bind (e.g. 0.0.0.0 or a LAN IP) could serve the dashboard unauthenticated when auth.enabled was left at its default false — even with a password configured — because the runtime guard only enforces auth when auth.enabled is set, while config validation did not require it. The config validator now refuses to start a non-loopback bind unless authentication is actually enforced (auth.enabled: true together with auth.password_required + a hash, or auth.reverse_proxy.enabled; or the explicit auth.allow_unauthenticated_network opt-out). All prior releases (≤ 0.2.1) are affected, including the Docker image. Upgrade, and on any networked deployment set auth.enabled: true. See GHSA-h4g2-xfmw-q2c9.
