Skip to content

Committed .env files with MinIO, Redis, and Qdrant credentials exposed #4034

Description

@muhamedfazalps

🔴 Multiple Service Credentials Exposed in .env.docker-compose and .env.server

Multiple .env.* files have been committed to this repository containing real credentials:

Exposed Credentials:

  1. MinIO Root Password: rootpassword (in .env.docker-compose)
  2. Redis Password: thisredispasswordisverysecureandcomplex (in .env.docker-compose and .env.server)
  3. Qdrant API Key: qdrant_pass (in .env.server)
  4. Admin API Key: admin (in .env.docker-compose)

Files:

  • .env.docker-compose
  • .env.server

Recommended Action:

  1. Immediately rotate all exposed passwords and API keys
  2. Remove these files from git history using git filter-branch or git filter-repo
  3. Add all .env* files to .gitignore
  4. Use environment variables or secrets management (e.g., Docker secrets, HashiCorp Vault) instead of committed config files

Discovered via automated GitHub code search as part of vulnerability research.
Buy me a coffee

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions