Imported from Codex Security Cloud high-severity finding detected on fork scan Turbovadim/calagopus-panel.
Severity: High
Detected commit: ca6c11b (11:37 AM Mar 5, 2026)
Fork commit: Turbovadim@ca6c11b
Codex finding: https://chatgpt.com/codex/cloud/security/findings/cea79b7bc2b88191ab088d5210ed1855?sev=critical%2Chigh&repo=https%3A%2F%2Fgithub.com%2FTurbovadim%2Fcalagopus-panel
Brief explanation:
Introduced: the commit adds AdminApiNodeServerBackup and changes the backup-configuration backups endpoint to serialize full AdminApiNode data under a weaker backup-configuration permission boundary. This newly exposes node tokens directly for backups, including detached backups where the previous response had no server object from which a node could be inferred.
Notes:
- This was reported from the fork scan, but this repository is the upstream/original project requested for issue tracking.
- Please verify whether the affected commit/code path exists in upstream before remediation.
Imported from Codex Security Cloud high-severity finding detected on fork scan
Turbovadim/calagopus-panel.Severity: High
Detected commit: ca6c11b (11:37 AM Mar 5, 2026)
Fork commit: Turbovadim@ca6c11b
Codex finding: https://chatgpt.com/codex/cloud/security/findings/cea79b7bc2b88191ab088d5210ed1855?sev=critical%2Chigh&repo=https%3A%2F%2Fgithub.com%2FTurbovadim%2Fcalagopus-panel
Brief explanation:
Introduced: the commit adds AdminApiNodeServerBackup and changes the backup-configuration backups endpoint to serialize full AdminApiNode data under a weaker backup-configuration permission boundary. This newly exposes node tokens directly for backups, including detached backups where the previous response had no server object from which a node could be inferred.
Notes: