On 21 Dec a vulnerability was reported to CrateDB regarding authentication that could potentially affect all users. We have taken immediate action to remediate and have posted details here: Disable trust of HTTP ``X-Real-IP`` header by default. The CrateDB team currently has no evidence that the issue was exploited or data inappropriately disclosed. Customers are encouraged to implement recommended mitigations while we continue to investigate and monitor the situation.
