Hardcoded JWT Secret in Dpanel Docker Management System Enables Authentication Bypass
Dpanel, a Docker visualization panel system offering comprehensive Docker management functions, contains a critical security vulnerability in its default configuration. The service has a hardcoded JWT secret that enables attackers to generate valid authentication tokens, effectively bypassing security controls. By analyzing the source code and discovering the embedded secret, malicious actors can craft legitimate JWT tokens to impersonate privileged users and gain unauthorized administrative access. This vulnerability potentially allows complete control over the host machine, which could result in serious consequences like sensitive data exposure, unauthorized command execution, privilege escalation, and network lateral movement. The security flaw is addressed and resolved in version 1.6.1, with a recommended workaround involving replacement of the hardcoded secret using a securely generated value loaded from secure configuration storage.
Vulmon