Charon/docs/security/archive/2026-02-06-validation-report.md

Security Validation Report - Feb 2026

Date: 2026-02-06 Scope: E2E Test Validation & Container Security Scan Status: 🔴 FAIL

1. Executive Summary

Validation of the recent security enforcement updates revealed that while the core functionality is operational (frontend and backend are responsive), there are meaningful regression failures in E2E tests, specifically related to accessibility compliance and keyboard navigation. Additionally, a potentially flaky or timeout-prone behavior was observed in the CrowdSec diagnostics suite.

2. E2E Test Failures

The following tests failed during the firefox project execution against the E2E environment (http://127.0.0.1:8080).

2.1. Accessibility Failures (Severity: Medium)

Test: tests/security/crowdsec-config.spec.ts Case: CrowdSec Configuration @security › Accessibility › should have accessible form controls Error:

Error: expect(received).toBeTruthy()
Received: null
Location: crowdsec-config.spec.ts:296:28

Analysis: Input fields in the CrowdSec configuration form are missing accessible labels (via aria-label, aria-labelledby, or <label for="...">). This violates WCAG 2.1 guidelines and causes test failure.

2.2. Keyboard Navigation Failures (Severity: Medium)

Test: tests/security/crowdsec-decisions.spec.ts Case: CrowdSec Banned IPs Management › Accessibility › should be keyboard navigable Error:

Error: expect(locator).toBeVisible() failed
Locator: locator(':focus')
Expected: visible

Analysis: The "Banned IPs" card or table does not properly handle initial focus or tab navigation, resulting in focus being lost or placed on a non-visible element.

2.3. Test Interruption / Potential Timeout (Severity: Low/Flaky)

Test: tests/security/crowdsec-diagnostics.spec.ts Case: CrowdSec Diagnostics › Connectivity Checks › should optionally report console reachability Status: Interrupted Analysis: The test runner execution was interrupted or timed out on this specific test. Backend logs confirm the connectivity endpoint /api/v1/admin/crowdsec/diagnostics/connectivity responded successfully in ~166ms, suggesting the issue might be client-side (Playwright) or network race condition waiting for the next step.

3. Security Scan Results (Trivy)

Image: charon:local (Debian 13.3) Overall: 2 HIGH, 0 CRITICAL

Library	Vulnerability	Severity	Fixed Version	Title
libc-bin	CVE-2026-0861	HIGH	(None)	glibc: Integer overflow in memalign
libc6	CVE-2026-0861	HIGH	(None)	glibc: Integer overflow in memalign

Analysis: The vulnerabilities are detected in the base OS (glibc). Currently, there is no fixed version available in the upstream repositories for this Debian version. These are considered Acceptable Risks for the moment until upstream patches are released.

4. Recommendations

1. Remediate Accessibility: Update CrowdSecConfig React component to add aria-label to form inputs, specifically those used for configuration toggles or text fields.
2. Fix Focus Management: Ensure the Banned IPs table has a valid tab order and visually indicates focus.
3. Monitor Flakiness: Re-run diagnostics tests in isolation to confirm if the interruption is persistent.
4. Accept Risk (OS): Acknowledge the glibc vulnerabilities and schedule a base image update check in 30 days.