[GH-ISSUE #1053] Unsafe first setup of administrator credentials on fully exposed website #6535

New Issue

Closed

opened 2026-04-25 15:25:47 -05:00 by GiteaMirror · 7 comments

GiteaMirror commented 2026-04-25 15:25:47 -05:00

Owner

Copy Link

Originally created by @ackalker on GitHub (Jul 11, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1053

The current installation process requires setting up administrator credentials via a web browser, leaving the Pangolin server unsecured and fully exposed to the internet during this period. This creates a critical security window where an attacker could claim the administrator account and gain access to all proxied resources.

Previously, administrator setup was handled securely via the terminal (see commit d03f452). I strongly recommend restoring this option or, at minimum, providing a way to restrict or protect the initial web-based setup (e.g., setup tokens, IP whitelisting, or time-limited URLs).

Potential Impact:

• Unauthorized control of Pangolin instance
• Exposure of all connected services
• Possible lateral movement within private networks

Recommendations:

• Restore terminal-based admin setup
• Make web-based setup optional or protected
• Consider additional mitigations to limit attack surface during setup

Originally created by @ackalker on GitHub (Jul 11, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1053 The current installation process requires setting up administrator credentials via a web browser, leaving the Pangolin server unsecured and fully exposed to the internet during this period. This creates a critical security window where an attacker could claim the administrator account and gain access to all proxied resources. Previously, administrator setup was handled securely via the terminal (see commit d03f452). I strongly recommend restoring this option or, at minimum, providing a way to restrict or protect the initial web-based setup (e.g., setup tokens, IP whitelisting, or time-limited URLs). Potential Impact: - Unauthorized control of Pangolin instance - Exposure of all connected services - Possible lateral movement within private networks Recommendations: - Restore terminal-based admin setup - Make web-based setup optional or protected - Consider additional mitigations to limit attack surface during setup

GiteaMirror added the stale label 2026-04-25 15:25:47 -05:00

GiteaMirror closed this issue 2026-04-25 15:25:47 -05:00

GiteaMirror commented 2026-04-25 15:25:48 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Jul 12, 2025):

Hi, thanks. We introduced the terminal based CLI tool and the initial GUI setup simultaneously because the previous versions required the password be set in a file which wasn't ideal for many.

If someone beat you to the setup page to create the credentials they would control that account, but since the instance is empty at this point in time, you could also clear the DB or reset the password with the CLI since you control the server. Once the admin account is created, it cannot be changed or manipulated via the GUI, you have to use the CLI.

We can work on making this opt out via a question in the installer for those who would prefer to signup the first user via the CLI only.

<!-- gh-comment-id:3065952902 --> @miloschwartz commented on GitHub (Jul 12, 2025): Hi, thanks. We introduced the terminal based CLI tool and the initial GUI setup simultaneously because the previous versions required the password be set in a file which wasn't ideal for many. If someone beat you to the setup page to create the credentials they would control that account, but since the instance is empty at this point in time, you could also clear the DB or reset the password with the CLI since you control the server. Once the admin account is created, it cannot be changed or manipulated via the GUI, you have to use the CLI. We can work on making this opt out via a question in the installer for those who would prefer to signup the first user via the CLI only.

GiteaMirror commented 2026-04-25 15:25:48 -05:00

Author

Owner

Copy Link

@inspectorgadjet7 commented on GitHub (Jul 17, 2025):

Alternatively, don't open your 80 and 443 ports to everyone when you first install. Only open the ports for your IP address until you've configured everything the way you want it.

<!-- gh-comment-id:3084967941 --> @inspectorgadjet7 commented on GitHub (Jul 17, 2025): Alternatively, don't open your 80 and 443 ports to everyone when you first install. Only open the ports for your IP address until you've configured everything the way you want it.

GiteaMirror commented 2026-04-25 15:25:49 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Jul 21, 2025):

@inspectorgadjet7 Good idea!

<!-- gh-comment-id:3097856768 --> @miloschwartz commented on GitHub (Jul 21, 2025): @inspectorgadjet7 Good idea!

GiteaMirror commented 2026-04-25 15:25:49 -05:00

Author

Owner

Copy Link

@TheBigBear commented on GitHub (Jul 23, 2025):

This is unsafe as the ticket says.
Two suggestions, maybe the installer should prompt for an initial IP to be allowed for initial administrator credentials changes or setup, or it should generate some random long string it displays during setup that the owner has to use to connect.

<!-- gh-comment-id:3109248467 --> @TheBigBear commented on GitHub (Jul 23, 2025): This is unsafe as the ticket says. Two suggestions, maybe the installer should prompt for an initial IP to be allowed for initial administrator credentials changes or setup, or it should generate some random long string it displays during setup that the owner has to use to connect.

GiteaMirror commented 2026-04-25 15:25:50 -05:00

Author

Owner

Copy Link

@Error-Gap commented on GitHub (Jul 26, 2025):

Alternatively, don't open your 80 and 443 ports to everyone when you first install. Only open the ports for your IP address until you've configured everything the way you want it.

The docker container pretty much automatically creates the rules that open ports though, and not everyone is running a configurable firewall in front of their instance (especially if they're hosted).

An easy way to safeguard this would be:
Require an secret in the config file in order to create the admin account
i.e.

server:
        admin_token: "password123"

Then prompt for it at the initial account creation page. That way the only person who should have access to the secret is going to be somebody with admin access to the server it's hosted on.

<!-- gh-comment-id:3121228912 --> @Error-Gap commented on GitHub (Jul 26, 2025): > Alternatively, don't open your 80 and 443 ports to everyone when you first install. Only open the ports for your IP address until you've configured everything the way you want it. The docker container pretty much automatically creates the rules that open ports though, and not everyone is running a configurable firewall in front of their instance (especially if they're hosted). An easy way to safeguard this would be: Require an secret in the config file in order to create the admin account i.e. ``` server: admin_token: "password123" ``` Then prompt for it at the initial account creation page. That way the only person who should have access to the secret is going to be somebody with admin access to the server it's hosted on.

GiteaMirror commented 2026-04-25 15:25:50 -05:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Aug 10, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3172261443 --> @github-actions[bot] commented on GitHub (Aug 10, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

GiteaMirror commented 2026-04-25 15:25:51 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Aug 16, 2025):

Resolved by #1208

<!-- gh-comment-id:3193384783 --> @oschwartz10612 commented on GitHub (Aug 16, 2025): Resolved by #1208

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dev

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label stale

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#6535