Problem
docker-compose.yaml defaults to network_mode: host, giving the container unrestricted access to the entire host network stack. On a NAS with other services (SSH, SMB, databases, backup systems), this means the container can reach everything on the LAN.
Current State
docker-compose.yaml:10 — network_mode: "host" (default)docker-compose.override.yaml — already switches to bridge with explicit port exposure
Severity: CRITICAL
Proposed Solution
- Change the default in
docker-compose.yaml to network_mode: bridge with explicit port mappings (18789, 18790)
- Document
host mode as an optional override for users who need it
- Update the install wizard to ask about network mode preference
Context
From security audit 2026-03-25. See full report in Vault.
Problem
docker-compose.yamldefaults tonetwork_mode: host, giving the container unrestricted access to the entire host network stack. On a NAS with other services (SSH, SMB, databases, backup systems), this means the container can reach everything on the LAN.Current State
docker-compose.yaml:10—network_mode: "host"(default)docker-compose.override.yaml— already switches tobridgewith explicit port exposureSeverity: CRITICAL
Proposed Solution
docker-compose.yamltonetwork_mode: bridgewith explicit port mappings (18789, 18790)hostmode as an optional override for users who need itContext
From security audit 2026-03-25. See full report in Vault.