Imported from Codex Security Cloud high-severity finding detected on fork scan Turbovadim/calagopus-panel.
Severity: High
Detected commit: 6cfc78c (5:10 PM Apr 14, 2026)
Fork commit: Turbovadim@6cfc78c
Codex finding: https://chatgpt.com/codex/cloud/security/findings/e8363a1eca2c81919bc346bbebdbbea5?sev=critical%2Chigh&repo=https%3A%2F%2Fgithub.com%2FTurbovadim%2Fcalagopus-panel
Brief explanation:
Introduced an RBAC-sensitive information disclosure: the new server backups listing endpoint exposes node tokens through AdminApiNode under the weaker nodes.backups permission. The endpoint should return a tokenless node DTO, require nodes.read before returning AdminApiNode, or use a dedicated backup DTO that omits node credentials.
Notes:
- This was reported from the fork scan, but this repository is the upstream/original project requested for issue tracking.
- Please verify whether the affected commit/code path exists in upstream before remediation.
Imported from Codex Security Cloud high-severity finding detected on fork scan
Turbovadim/calagopus-panel.Severity: High
Detected commit: 6cfc78c (5:10 PM Apr 14, 2026)
Fork commit: Turbovadim@6cfc78c
Codex finding: https://chatgpt.com/codex/cloud/security/findings/e8363a1eca2c81919bc346bbebdbbea5?sev=critical%2Chigh&repo=https%3A%2F%2Fgithub.com%2FTurbovadim%2Fcalagopus-panel
Brief explanation:
Introduced an RBAC-sensitive information disclosure: the new server backups listing endpoint exposes node tokens through AdminApiNode under the weaker nodes.backups permission. The endpoint should return a tokenless node DTO, require nodes.read before returning AdminApiNode, or use a dedicated backup DTO that omits node credentials.
Notes: