Impact
Up to version 4.9.0, Onyxia-API leaked the credentials of private helm repositories in the public (unauthenticated) /public/catalogs endpoint.
Only instances using private helm repositories (i.e setting username & password in the catalogs configuration) are affected.
This optional feature was added in Onyxia-API v4.6.0 (Onyxia 10.18.0, May 21th 2025).
Patches
Issue has been fixed in version 4.9.0 of Onyxia-API (Onyxia 10.28)
Workarounds
Users that can't upgrade to API 4.9.0 (minor upgrade from 4.6.0) are advised to remove any private helm repositories from their catalogs configuration to prevent the credentials from leaking.
ddecrulle Finder
Impact
Up to version 4.9.0, Onyxia-API leaked the credentials of private helm repositories in the public (unauthenticated)
/public/catalogsendpoint.Only instances using private helm repositories (i.e setting
username&passwordin the catalogs configuration) are affected.This optional feature was added in Onyxia-API v4.6.0 (Onyxia 10.18.0, May 21th 2025).
Patches
Issue has been fixed in version 4.9.0 of Onyxia-API (Onyxia 10.28)
Workarounds
Users that can't upgrade to API 4.9.0 (minor upgrade from 4.6.0) are advised to remove any private helm repositories from their catalogs configuration to prevent the credentials from leaking.