[P0] Admin/web UI binds 0.0.0.0:9876 unauthenticated; SSE auth off by default #36

New issue

Open

opened 2026-05-23 21:52:22 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-23 21:52:22 +00:00

Owner

Problem
The web UI is reachable on all interfaces (socat TCP-LISTEN:9876,bind=0.0.0.0 → web.sock) with no auth, and SSE only enforces a bearer token when SHRIMP_REQUIRE_AUTH=1. On a non-trusted network this exposes the agent (file/shell tools) to anyone.

Evidence

crates/hero_shrimp_server/src/rpc/sse.rs — auth gated behind SHRIMP_REQUIRE_AUTH.
Deploy binds socat to 0.0.0.0:9876.

Proposed fix
Default to localhost bind; require a token for non-loopback access; document the secure exposure path (reverse proxy + auth).

Filed from a comparative audit of Hero Shrimp vs Qwen-Code / kimi-cli / picoclaw (2026-05-23). Severity in title: P0=correctness/trust, P1=reliability/UX, P2=cleanup.

**Problem** The web UI is reachable on all interfaces (`socat TCP-LISTEN:9876,bind=0.0.0.0 → web.sock`) with no auth, and SSE only enforces a bearer token when `SHRIMP_REQUIRE_AUTH=1`. On a non-trusted network this exposes the agent (file/shell tools) to anyone. **Evidence** - `crates/hero_shrimp_server/src/rpc/sse.rs` — auth gated behind `SHRIMP_REQUIRE_AUTH`. - Deploy binds socat to `0.0.0.0:9876`. **Proposed fix** Default to localhost bind; require a token for non-loopback access; document the secure exposure path (reverse proxy + auth). --- _Filed from a comparative audit of Hero Shrimp vs Qwen-Code / kimi-cli / picoclaw (2026-05-23). Severity in title: P0=correctness/trust, P1=reliability/UX, P2=cleanup._