Summary

in versions of Mobiusflow Gateways software the Node-Red admin API was accessible to un-authenticated users

Description

the Node-Red Admin API was accessible at the gateway's Configuration UI endpoint without requiring user authentication. this allowed anonymous access to the Node-red flows and potentially any configuration information stored within there.

Solution

This has been fixed in v1.0.3 of the Mobiusflow Gateway software. this now requires mobius users to authenticate to the node-red admin API.