CasaOS, a personal cloud solution with over 17,000 GitHub stars, has been found to have two critical code vulnerabilities, CVE-2023-37265 and CVE-2023-37266. These vulnerabilities allow attackers to bypass authentication requirements and gain full access to the CasaOS dashboard, as well as execute arbitrary commands on the system. The first vulnerability is caused by a common design bug in reverse proxies, which can be exploited to bypass IP address validation. The second vulnerability involves a weak secret used in session JWTs, allowing attackers to craft arbitrary tokens and bypass authentication. These vulnerabilities highlight the importance of education and security best practices when designing software features, particularly those that support third-party applications, such as Docker containers. CasaOS maintainers have addressed these vulnerabilities through patches, but users are still encouraged to update their instances to the latest available release.