Ory Admin Ports Publicly Exposed in Production Compose File — High-Severity Security Flaw

A critical security misconfiguration has been identified in a production deployment file, publicly exposing four high-privilege Ory admin endpoints. The flaw, documented in a security architect's report, involves host port bindings in the `compose.prod.yml` file that make internal administrative APIs accessible from the public internet. These APIs, for both CIAM and IAM services (Kratos and Hydra), provide unrestricted CRUD operations over user identities, OAuth2 clients, consent sessions, and grants, and are designed to operate without authentication under the assumption of network isolation.

The specific lines in the production compose file map internal admin ports to external host ports: 3101:5001 (CIAM Kratos), 4101:7001 (IAM Kratos), 3103:5003 (CIAM Hydra), and 4103:7003 (IAM Hydra). This configuration serves no operational purpose, as all dependent services—including Athena, Hera, Site, and Sidecar—are documented to connect via an internal Docker `intranet` network using container DNS names. The exposure creates a direct, unauthenticated pathway to core identity and access management systems.

The security requirement mandates the immediate removal of these port bindings. The fix is categorized as high-severity and is linked to a broader platform security ticket. Verification steps require confirming that all internal service communications remain functional via the internal network after the bindings are removed, ensuring no operational disruption while eliminating the external attack surface.