in versions of Mobiusflow Gateways software the Node-Red admin API was accessible to un-authenticated users
the Node-Red Admin API was accessible at the gateway's Configuration UI endpoint without requiring user authentication. this allowed anonymous access to the Node-red flows and potentially any configuration information stored within there.
This has been fixed in v1.0.3 of the Mobiusflow Gateway software. this now requires mobius users to authenticate to the node-red admin API.