[GH-ISSUE #1202] [Security Enhancement] Prevent enumeration of pangolin resources #1805

New Issue

GiteaMirror · 2026-04-16T08:38:52-05:00

GiteaMirror commented

2026-04-16 08:38:52 -05:00

Originally created by @TheConen on GitHub (Aug 2, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1202

Originally assigned to: @oschwartz10612 on GitHub.

Given

A Pangolin resource is configured to always allow access from a specific IP range and disallow access from all other IP ranges.

When

A user from outside of the allowed IP range accesses that resource

Then

Current behavior

Pangolin returns a 401 Unauthorized

This allows to enumerate all resource that are present on a Pangolin instance that the user does not have access to and potentially target specific services. E.g. if a user knows that vaultwarden.mydomain.com exists, than he also knows that there are probably rules that always allow access to specific paths like /api/* that he could try to exploit.

Proposed behavior

Pangolin should return the same response as if the resource was not found, so a non-existing resource is not differentiable from a resource that access was denied to.

Added after some Discord discussion: This only applies to the response presented to the user. Internal backend tools like CrowdSec might rely on the 401 (or 403) code.

References

OWASP: Enumerate Applications on Webserver

Originally created by @TheConen on GitHub (Aug 2, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1202 Originally assigned to: @oschwartz10612 on GitHub. ## Given A Pangolin resource is configured to always allow access from a specific IP range and disallow access from all other IP ranges. <img width="1591" height="413" alt="Image" src="https://github.com/user-attachments/assets/272e61dc-d396-41aa-b00d-a2ffa7dc44d7" /> ## When A user from outside of the allowed IP range accesses that resource ## Then ### Current behavior Pangolin returns a 401 Unauthorized <img width="1297" height="451" alt="Image" src="https://github.com/user-attachments/assets/54a250ac-4db9-4b60-8520-15c72f525874" /> This allows to enumerate all resource that are present on a Pangolin instance that the user does not have access to and potentially target specific services. E.g. if a user knows that vaultwarden.mydomain.com exists, than he also knows that there are probably rules that always allow access to specific paths like `/api/*` that he could try to exploit. ### Proposed behavior Pangolin should return the same response as if the resource was not found, so a non-existing resource is not differentiable from a resource that access was denied to. Added after some Discord discussion: This only applies to the response presented to the user. Internal backend tools like CrowdSec might rely on the 401 (or 403) code. <img width="1060" height="274" alt="Image" src="https://github.com/user-attachments/assets/bcfe2519-d55a-415a-b138-f6ad6f52a6ab" /> ## References [OWASP: Enumerate Applications on Webserver](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver)

GiteaMirror added the enhancement reverse proxy labels 2026-04-16 08:38:52 -05:00

GiteaMirror closed this issue

2026-04-16 08:38:53 -05:00

GiteaMirror commented

2026-04-16 08:38:54 -05:00

@github-actions[bot] commented on GitHub (Aug 17, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

@github-actions[bot] commented on GitHub (Aug 17, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

GiteaMirror commented

2026-04-16 08:38:55 -05:00

@p3l1 commented on GitHub (Aug 20, 2025):

+1 on this. Pangolin is a web facing application and therefore should prohibit the described enumeration of resources.

@p3l1 commented on GitHub (Aug 20, 2025): +1 on this. Pangolin is a web facing application and therefore should prohibit the described enumeration of resources.

GiteaMirror commented

2026-04-16 08:38:55 -05:00

@jnewing commented on GitHub (Sep 20, 2025):

+1 to this.

@jnewing commented on GitHub (Sep 20, 2025): +1 to this.

GiteaMirror commented

2026-04-16 08:38:56 -05:00

@boomam commented on GitHub (Dec 4, 2025):

Would support this being implemented.
Right now, i 'deal' with it via Traefik middleware, with a chain that IP blocks the routers for Pangolin components.
The issue however is that doing that prevents some of the other auth functions (like PIN codes) being used for remote users, as that base URL is no longer accessible.

@boomam commented on GitHub (Dec 4, 2025): Would support this being implemented. Right now, i 'deal' with it via Traefik middleware, with a chain that IP blocks the routers for Pangolin components. The issue however is that doing that prevents some of the other auth functions (like PIN codes) being used for remote users, as that base URL is no longer accessible.

GiteaMirror commented

2026-04-16 08:38:57 -05:00

@ATragicEnding commented on GitHub (Dec 12, 2025):

+1 to this, many self-hosted services can be leveraged for attacks. Preventing enumeration would help tremendously.

@ATragicEnding commented on GitHub (Dec 12, 2025): +1 to this, many self-hosted services can be leveraged for attacks. Preventing enumeration would help tremendously.

GiteaMirror commented

2026-04-16 08:38:57 -05:00

@dyay108 commented on GitHub (Feb 15, 2026):

+1

@dyay108 commented on GitHub (Feb 15, 2026): +1

GiteaMirror commented

2026-04-16 08:38:58 -05:00

@kazooie13 commented on GitHub (Feb 22, 2026):

+1

@kazooie13 commented on GitHub (Feb 22, 2026): +1

GiteaMirror referenced this issue

2026-04-16 09:33:52 -05:00