Skip to content

Releases: bun4uk/chadmin

v2.1.0 — ClickHouse Cloud private endpoint support

Choose a tag to compare

@bun4uk bun4uk released this 22 Jun 16:21

Adds opt-in support for connecting to ClickHouse Cloud services over their private endpoint (AWS PrivateLink / GCP Private Service Connect / Azure Private Link) instead of the public endpoint.

What's new

  • New env var CLICKHOUSE_CLOUD_USE_PRIVATE_DNS (default false). When enabled, each Cloud service's data-plane host is resolved to its private DNS hostname.
  • The hostname is fetched per service from the control-plane endpoint GET /v1/organizations/{org}/services/{id}/privateEndpointConfig — a control-plane call that never wakes an idle service.
  • Resolved hostnames are cached (positive 300s, negative 30s) and fall back to the public endpoint when no private endpoint is configured or the lookup fails.
  • The private host also feeds the idle-wake /ping, so wake actions stay on the private network too.

Enable only when chadmin runs inside the VPC/network where the private DNS hostname resolves.

Upgrade

No action required — the feature is off by default. To turn it on, set CLICKHOUSE_CLOUD_USE_PRIVATE_DNS=true.

Docker images (multi-arch amd64/arm64):

  • bun4uk/chadmin:2.1.0 / bun4uk/chadmin:latest
  • ghcr.io/bun4uk/chadmin:2.1.0 / ghcr.io/bun4uk/chadmin:latest

v2.0.3 — security patch (Symfony, Vite & Twig CVEs)

Choose a tag to compare

@bun4uk bun4uk released this 18 Jun 17:15

Remediates all twelve Dependabot advisories reported against bun4uk/chadmin since v2.0.2, plus five Twig sandbox CVEs surfaced by composer audit. Dependency bumps only — no application behavior changes.

npm — vite 8.0.9 → 8.0.16

Severity Advisory Summary
high GHSA-fx2h-pf6j-xcff (CVE-2026-53571) server.fs.deny bypass on Windows alternate paths
medium GHSA-v6wh-96g9-6wx3 (CVE-2026-53632) launch-editor NTLMv2 hash disclosure via UNC path handling on Windows

composer — Symfony (→ 8.0.13 / 8.0.12)

Severity Advisory Package Summary
high GHSA-m7v2-7gxm-vc2v (CVE-2026-45077) symfony/monolog-bridge Unauthenticated PHP object deserialization in MonologBridge server:log listener
medium GHSA-38cx-cq6f-5755 (CVE-2026-48736) symfony/http-foundation IpUtils::PRIVATE_SUBNETS omits IPv6 transition forms → SSRF bypass in NoPrivateNetworkHttpClient
medium GHSA-6439-2f28-8p8q (CVE-2026-45075) symfony/http-kernel HEAD request bypasses methods: ['GET'] filter in #[IsGranted] / #[IsSignatureValid] / #[IsCsrfTokenValid]
medium GHSA-6qh9-h6wf-jgqc (CVE-2026-45073) symfony/cache SQL injection in PdoAdapter::doClear() via unsanitized $prefix
low GHSA-hmr5-2xcr-v8pp (CVE-2026-45072) symfony/web-profiler-bundle Stored XSS in CodeExtension::fileExcerpt() (unescaped non-PHP file rendering)
low GHSA-c2p3-7m5p-cv8x (CVE-2026-45133) symfony/yaml Parser hardening when handling untrusted input
low GHSA-4qpc-3hr4-r2p4 (CVE-2026-45304) symfony/yaml Exponential memory allocation via recursive collection-alias
low GHSA-9frc-8383-795m (CVE-2026-45305) symfony/yaml ReDoS via catastrophic backtracking in Parser::cleanup() regex

symfony/routing and symfony/http-kernel are also bumped to 8.0.13 transitively. The Symfony tree is re-resolved to the latest 8.0.x to honor the project's ~8.0.0 constraint.

composer — Twig twig/twig 3.26.0 → 3.27.1

Surfaced by composer audit (not yet flagged by Dependabot). Five sandbox-bypass advisories, all fixed in 3.27.0:

  • CVE-2026-48808 — sandbox property allowlist bypass via the column filter under SourcePolicyInterface
  • CVE-2026-48807 — sandbox __toString() policy bypass via Traversable in join/replace and in/not in
  • CVE-2026-48806 — sandbox __toString() policy bypass via dynamic mapping keys
  • CVE-2026-48805 — sandbox state regression in deprecated internal wrappers
  • CVE-2026-46636 — sandbox filter/tag/function allow-list bypass when sandbox state changes between renders

Notes

Chadmin renders only its own first-party Twig templates and does not use the Twig sandbox, so the sandbox CVEs are not exploitable here — the bump keeps composer audit and Docker image scanners green. composer audit --locked reports no advisories. Also includes a demo fix: the elapsed-time counter no longer stops incrementing.

Images

  • Docker Hub: docker pull bun4uk/chadmin:2.0.3 (also 2.0, 2, latest)
  • GHCR: docker pull ghcr.io/bun4uk/chadmin:2.0.3

v2.0.2 — security patch (Twig CVEs)

Choose a tag to compare

@bun4uk bun4uk released this 22 May 14:09
911ee17

Remediates seven advisories reported by Dependabot against bun4uk/chadmin by bumping twig/twig from 3.24.0 → 3.26.0 (composer).

Severity Advisory Summary
critical GHSA-7p85-w9px-jpjp PHP code injection via {% use %} template name
high GHSA-45vw-wh46-2vx8 RCE via _self.(<string>) macro reference compilation
high GHSA-mm6w-gr99-p3jj Sandbox bypass via object-destructuring assignment
medium GHSA-7fxw-r6jv-74c8 {% sandbox %}{% include %} skips checkSecurity() on cached templates
medium GHSA-24x9-r6q4-q93w template_from_string() escapes a SourcePolicy sandbox via synthesized name
low GHSA-vcc8-phrv-43wj Sandbox property allowlist bypass via the column filter
low GHSA-4j38-f5cw-54h7 spaceless filter implicitly marks its output as safe

Transitive composer bumps

  • symfony/deprecation-contracts 3.6.0 → 3.7.0
  • symfony/polyfill-ctype 1.36.0 → 1.37.0
  • symfony/polyfill-mbstring 1.36.0 → 1.37.0

Notes

Chadmin does not use the Twig sandbox at runtime, so there is no behavior change. The bump is published to silence Dependabot and keep Docker scanners green.

Images

  • Docker Hub: `docker pull bun4uk/chadmin:2.0.2` (also `2.0`, `2`, `latest`)
  • GHCR: `docker pull ghcr.io/bun4uk/chadmin:2.0.2`

v2.0.1 — security patch (Docker Hub CVE false positives)

Choose a tag to compare

@bun4uk bun4uk released this 19 May 09:40

Patch release: clears two false-positive vulnerability findings reported by Docker Hub against bun4uk/chadmin:2.0.0, and adopts the consolidated Dockerfile refactor merged via #2.

What changed

  • #2 by @everythings-gonna-be-alright — Single multi-stage docker/Dockerfile with base (php-fpm only) and aio (php-fpm + nginx + supervisord) targets. AIO image now runs as the unprivileged chadmin user (UID 1984). docker/dev + docker/prod configs consolidated under docker/configs/.
  • CVE-2023-27482 (Home Assistant Supervisor name collision with Alpine apk:supervisor) — declared not_affected via OpenVEX (vex/chadmin.openvex.json), attached to the published image as a sigstore attestation by the publish workflow.
  • CVE-2026-24049 (wheel.cli.unpack path traversal) — cleared by removing the vendored wheel-*.dist-info inside py3-setuptools. The vendored copy is metadata only — no Python source — so removal is safe; setuptools ≥70.1 uses its own bdist_wheel and never imports _vendor/wheel at runtime. Same CVE is also declared not_affected in the OpenVEX statement as a backup.

Docker

docker pull bun4uk/chadmin:2.0.1    # or :latest

Drop-in upgrade from 2.0.0 — no behaviour changes.

v2.0.0 — Multi-topology rewrite

Choose a tag to compare

@bun4uk bun4uk released this 18 May 21:19

After 5 years of dormancy, chadmin is back with a complete rewrite. New stack, new UI, new capabilities — see https://github.com/bun4uk/chadmin#readme for usage.

Highlights

  • Multi-topology auto-detection — works against a single ClickHouse node, a self-hosted cluster, or ClickHouse Cloud. No manual switch — chadmin probes system.clusters and reads Cloud API credentials to decide.
  • ClickHouse Cloud support — list services across organizations, see live state (running/idle/stopped/awaking), wake idle services from the UI, deep-link to a warehouse/service via URL params.
  • Users & Access page — inspect ClickHouse users and drop them, per-target.
  • Modernized stack — PHP 8.5 / Symfony 8.0 backend, React 19 + TypeScript + Vite 8 + Tailwind 4 frontend with @clickhouse/click-ui.
  • Smart polling — pauses on hidden tabs so background tabs don't keep idle Cloud services warm.
  • Theme toggle — light/dark, persisted per browser.

Docker

Public multi-arch image (linux/amd64 + linux/arm64) on Docker Hub:

docker pull bun4uk/chadmin:2.0.0    # or :latest

Closes

  • #1Create ready to run docker container (open since 2021)

License

Now MIT.

Note

Not an in-place upgrade from v0.1 — full rewrite. Start fresh from .env.example + docker-compose.yml.

v0.1

Choose a tag to compare

@bun4uk bun4uk released this 18 Mar 14:42
txt update