| Titel | Sipeed PicoClaw <= v0.2.9 Authentication Bypass Using an Alternate Path or Channel (CWE-288) |
|---|
| Beschreibung | # Technical Details
An authentication and network-policy bypass exists in launcher first-run setup in `web/backend/middleware/access_control.go`, `web/backend/api/auth.go`, and `web/backend/main.go` of PicoClaw.
The application fails to enforce `allowed_cidrs` for requests relayed through a same-host loopback proxy. `IPAllowlist` unconditionally trusts loopback peers before checking configured CIDRs, and `handleSetup` allows unauthenticated password initialization while the launcher password store is uninitialized.
# Vulnerable Code
File: `web/backend/middleware/access_control.go`
Method: `IPAllowlist`
Why: Allows any request whose immediate `RemoteAddr` is loopback before evaluating `allowed_cidrs`.
File: `web/backend/api/auth.go`
Method: `handleSetup`
Why: Allows anyone who can reach `/api/auth/setup` to initialize the dashboard password on a fresh launcher.
File: `web/backend/main.go`
Method: launcher route wiring
Why: Registers `/api/auth/setup` and places the mux behind `IPAllowlist`, so the loopback-trust decision directly gates first-run authentication setup.
# Reproduction
1. Configure launcher with `public: true` and an `allowed_cidrs` value excluding the attacker IP.
2. Start a fresh launcher with no existing dashboard password.
3. Confirm a direct request to `/api/auth/setup` from a non-allowed host IP returns `403`.
4. Relay the same request through a same-host loopback proxy or TCP forwarder.
5. Observe the proxied setup request returns `200 {"status":"ok"}` and `/api/auth/status` changes to `initialized:true`.
# Impact
- Allows remote unauthenticated initialization of the launcher dashboard password on fresh instances.
- Bypasses network restrictions operators configured with `allowed_cidrs`.
- Enables takeover of launcher admin functionality, including configuration changes, credential management, gateway lifecycle actions, and other admin-plane API access. |
|---|
| Quelle | ⚠️ https://github.com/sipeed/picoclaw/issues/3080 |
|---|
| Benutzer | Eric-i (UID 97584) |
|---|
| Einreichung | 09.06.2026 13:33 (vor 1 Monat) |
|---|
| Moderieren | 18.07.2026 09:23 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 380014 [Sipeed PicoClaw bis 0.2.9 First Run Setup access_control.go allowed_cidrs schwache Authentisierung] |
|---|
| Punkte | 20 |
|---|