@joseph Perfect

@dark thanks for your report. I looked into them. For transparency, here is our assessment. All the reported issues require the attacker to already have an admin token / compromised admin password. All the issues below are not reproducible as a (compromised) normal user. Also. the issues were reproduced on the demo instance, which of course has the admin username/password displayed in public. We found the report to be thorough and with clear explanation on how to reproduce the problems. From our side, we ack the bugs and have made the following fixes: Problem: Full SSRF via applinks. This is about adding an internal IPs as an applink. Our analysis: Linking to internal apps is a legitimate feature. An applink is fundamentally a bookmark and there's nothing wrong with pointing it at 192.168.1.50 or an internal app. Applinks REST response only returns label and icon not contents of a site. You can't really infiltrate EC2 metadata etc and neither can you make non GET requests. Our fix: We have added a fix now to block server internal IPs like localhost and docker internal network. Problem: SQL injection via dynamic column names. This is about being able to send arbitrary field names in the REST APIs. Our analysis: Indeed, our query builders, should only use field names which are in the db and are part of an allow list. Our fix: We have added allow list to all our model code Problem: 2FA/TOTP BYPASS via skipTotpCheck: true Our analysis: I think this is because the demo instance does not allow you to set a TOTP. It doesn't show an error currently when this happens and leads the user to believe an OTP was set. For the demo server, we can't allow users to set a TOTP because it will make it unsuable for others. Our fix: We will show an error like we show in other places. But also, the password login routes have already been removed in Cloudron 10 (which is yet to be released). That route exists as a backward compat for the CLI. Cloudron only supports OIDC device auth for the CLI from Cloudron 10. Problem: Stored XSS via branding footer Our analysis: right. This issue has been present since ages and our demo instance always has someone putting some alert() or some stupid HTML in there periodically... Our fix: We give in to the non-stop reports about this... We use dompurify now. Thanks for the report again. Very clear and solid notes. I also took the chance to update https://www.cloudron.io/security.html and https://www.cloudron.io/.well-known/security.txt

I guess I have more questions around the integrity check: What is the exact criteria for "green" or "red"? Here's why I'm asking: After recovering my Cloudron, I noticed that one backup location, an external drive, is still present in the configuration. BUT: that external drive is no longer mounted (or even connected, for that matter). I haven't disabled the location in Cloudron yet. Now here's the surprising part for me: Cloudron still claims it performed a backup to that location. And when I run the integrity check on that backup, it shows up as green. For a backup that, as far as I can tell, doesn't actually exist on accessible hardware. I realise I might not fully understand how ext4 mounts work behind the scenes, but I do know that the physical hardware isn't connected. So this makes me wonder: how does the integrity check actually work under the hood? Does it only check metadata or local records, rather than verifying the actual remote files? Would love to understand this better, because right now a "green" integrity result feels less reliable than I initially thought. Thanks for bearing with me.

Hello @sponch It depends on your provider how he initializes the Ubuntu system. A good guide is https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_storage_devices/getting-started-with-swap_managing-storage-devices#recommended-system-swap-space_getting-started-with-swap According to the Red Hat guide, 4GB SWAP for a 32GB RAM system is the minimal recommended.

@girish that's true! thankfully never had any Cloudron security breaches, but the existence of all apps is visible to the public web, and with AI now able to find zero-day exploits so quickly, data-security risks are increasing one way to mitigate that is if the apps were limited to access only from those with access to it via their mesh vpn maybe it's already possible with asking AI to set all that up, but i'm just thinking out loud for the ordinary person that might not want to tinker with that and just have it as a an option out of the box

I just tried them too - so easy! Can literally copy paste it all as is and then it's done! @gengar

@seeker Community app now available https://forum.cloudron.io/topic/15473/bind-git-backed-web-apps

https://cert.europa.eu/publications/security-advisories/2026-005/ is maybe a better link

Thank you @james! And I just realised, that "Last run:" refers to the end of the creation of the backup. Now things match again

@stalecontext i've build an image on docker Hub: https://hub.docker.com/repository/docker/wazolab/copyparty Also i've opened 2 issues on your repo: https://git.cathedral.gg/Ben/copyparty-cloudron-app/issues/1 https://git.cathedral.gg/Ben/copyparty-cloudron-app/issues/2

@james I think this post worth to add on our documentation.

Hey @james , it's not what I'm looking for - I need an already issued SSL certificate to be planted into Cloudron, automatically. The command I've reverse-engineered and provided earlier works, so I stick with it for now. Hopefully, an official stable, documented API to appear soon.

@timconsidine thanks. This was on my own version. I haven't got round to trying yours yet Tim, but yours is the one people should try.

Hello @dimtar Currently, there is no Cloudron build in method for that. You can always put a firewall in front of Cloudron and only allow access via a certain IP-Addresses ranges or a VPN. See https://docs.cloudron.io/installation/home-server and https://docs.cloudron.io/installation/intranet . You can run a completely firewalled installation with valid SSL certs.

@loudlemur I didn't write the skills . But @james is a good candidate for feedback .

@dantheman thanks for the write up. It looks like there are fans of this and firezone. I do not know enough to know what would be best, but I love this as an option to provide apps to specific users AND also as a means of backing things up locally.

restic is also a strong candidate that is my daily driver: https://restic.net/ Super reliable. And there’s even a community guide, (by me ) : https://docs.cloudron.io/guides/community/restic-rclone