reinitialized.net/infrastructure
2
0
Fork 0
Code Issues 37 Pull requests Projects Releases Packages Wiki Activity Actions

[CRITICAL] Valkey (Redis) exposed on mesh network without authentication #13

New issue
Open
opened 2026-05-05 15:43:31 -05:00 by pjennings · 0 comments
pjennings commented 2026-05-05 15:43:31 -05:00
Owner
Copy link

Labels: area:security, area:containers, priority:critical, type:bug

Description

The Valkey container on db1 binds to 10.255.0.11:1025 without any authentication configured. There is no requirepass directive or ACL configuration.

File: hosts/db1.nix lines 173-186

Impact

CRITICAL — Any host on the mesh network (10.255.0.0/24) can connect to Valkey and:

  • Read cached session data from Authentik (SSO sessions)
  • Modify cached data to inject malicious content
  • Flush the database causing service outages
  • Use Valkey as a pivot point for further attacks

Services depending on this Valkey instance: Authentik, Pelican Panel, Paperless-ngx.

Recommended Fix

  1. Add requirepass with a strong password to Valkey configuration
  2. Configure per-database ACLs for each service (Authentik uses DB 3, Paperless uses DB 1, Pelican uses DB 2)
  3. Bind Valkey to localhost and use Unix sockets for local containers, or restrict firewall to only known client IPs
**Labels:** `area:security`, `area:containers`, `priority:critical`, `type:bug` ## Description The Valkey container on db1 binds to `10.255.0.11:1025` without any authentication configured. There is no `requirepass` directive or ACL configuration. **File:** `hosts/db1.nix` lines 173-186 ## Impact **CRITICAL** — Any host on the mesh network (10.255.0.0/24) can connect to Valkey and: - Read cached session data from Authentik (SSO sessions) - Modify cached data to inject malicious content - Flush the database causing service outages - Use Valkey as a pivot point for further attacks Services depending on this Valkey instance: Authentik, Pelican Panel, Paperless-ngx. ## Recommended Fix 1. Add `requirepass` with a strong password to Valkey configuration 2. Configure per-database ACLs for each service (Authentik uses DB 3, Paperless uses DB 1, Pelican uses DB 2) 3. Bind Valkey to localhost and use Unix sockets for local containers, or restrict firewall to only known client IPs
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
indev
No results found.
Labels
Clear labels   
area:documentation

Documentation, inventory, runbooks

  
area:infrastructure

Infrastructure services and hardware

  
area:network

Network, firewall, and connectivity

  
area:security

Security vulnerabilities and findings

  
priority:critical

Fix immediately — active risk

  
priority:high

Fix within 1-2 weeks

  
priority:low

Backlog — hardening and best practices

  
priority:medium

Fix within 1 month

  
status:blocked

Blocked on dependency or decision

  
type:bug

Misconfiguration or broken behavior

  
type:deployment

New service or system deployment

  
type:enhancement

Improvement or hardening

  
type:investigation

Needs research or identification

No labels
area:documentation
area:infrastructure
area:network
area:security
priority:critical
priority:high
priority:low
priority:medium
status:blocked
type:bug
type:deployment
type:enhancement
type:investigation
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
reinitialized.net/infrastructure#13
No description provided.