CRITICAL: Evolution Server Security Audit Exposes Critical Vulnerabilities on Hetzner Box

A recent security audit of the 'evolution' server on Hetzner has uncovered a series of critical vulnerabilities, exposing the system to significant external risk. The most immediate threats include Docker containers bypassing the UFW firewall, exposing ports 8080, 9000, and 9443 directly to the internet. Furthermore, sensitive secrets, including an Anthropic API key, were found stored in plaintext and world-readable files, creating a direct path for credential theft and system compromise.

The audit details a cascade of security failures. The Docker configuration flaw allows unauthorized external access to internal services. The presence of plaintext secrets is systemic, with the Doppler secret management tool installed but completely unused. Specific exposures include the API key in `.openclaw/.env` and a hardcoded development JWT secret (`dev-secret-key-change-this-in-production`) in use. Additional critical issues involve an unsecured Authentik setup endpoint returning a 200 status, an outdated Headscale version (v0.25.1) with known vulnerabilities including plaintext key storage, and a default permissive network policy.

The cumulative effect of these findings presents a severe operational security risk. The system is effectively in a default, unhardened state with multiple open vectors for intrusion. Immediate remediation steps are mandated, including reconfiguring Docker binds to localhost, migrating all secrets to a secure manager, rotating all exposed keys, patching software, and implementing strict access controls. Failure to address these issues promptly could lead to a full system breach, data exfiltration, or the server being co-opted for malicious purposes.