docs(sec): synchronize security warnings for gremlin execution to EN docs

Author: imbajin

content/en/docs/clients/restful-api/gremlin.md

@@ -7,6 +7,11 @@ description: "Gremlin REST API: Execute Gremlin graph traversal language scripts
 
 ### 8.1 Gremlin
 
+> ⚠️ **SEC Reminder: Safe Usage of Native Query Endpoints in Production Environments**
+>
+> The flexibility of Graph Query Languages (such as Gremlin/Cypher) inherently introduces certain potential security risks. To ensure core security, **please avoid exposing any related native query endpoints directly to the public network**.
+> In production scenarios where internal exposure is required, you must enable the **[Authentication System (Auth)](/docs/config/config-authentication/)** combined with an **IP Whitelist** as a dual-security mechanism to strictly control user execution permissions. Additionally, it is advised to use an Audit Log to audit the specific statements executed and to adopt **[Containerized Deployment (Docker/K8s)](/docs/quickstart/hugegraph/hugegraph-server/#31-use-docker-container-convenient-for-testdev)** to enhance system-level security isolation.
+
 #### 8.1.1 Sending a gremlin statement (GET) to HugeGraphServer for synchronous execution
 
 ##### Params

content/en/docs/config/config-authentication.md

@@ -24,9 +24,11 @@ user(name=xx) -belong-> group(name=xx) -access(read)-> target(graph=graph1, reso
 
 ### Configure User Authentication
 
-By default, HugeGraph does **not enable** user authentication, and it needs to be enabled by 
-modifying the configuration file (Note: If used in a production environment or over the internet, 
-please use a **Java11** version and enable **auth-system** to avoid security risks.)
+By default, HugeGraph does **not enable** user authentication, and it needs to be enabled by modifying the configuration file.
+
+> ⚠️ **SEC Reminder: Security of Graph Query Languages (Gremlin/Cypher)**
+>  
+> Due to potential system security risks brought about by the flexibility of graph query languages, **please avoid exposing any query-related endpoints directly to public/external network environments**. In actual production deployments, please use the **[Authentication System](/docs/config/config-authentication/)** outlined here combined with an **IP Whitelist** as a dual-security mechanism, and we recommend enabling Audit Logs to pinpoint the exact queries executed by users. Given the stateless nature of the Server, it is strongly recommended overall to use a **[Containerized Environment (Docker/K8s)](/docs/quickstart/hugegraph/hugegraph-server/#31-use-docker-container-convenient-for-testdev)** architecture to effectively isolate underlying system safety risks at a minimal cost.
 
 You need to modify the configuration file to enable this feature. HugeGraph provides built-in authentication mode: `StandardAuthenticator`. This mode supports multi-user authentication and fine-grained permission control. Additionally, developers can implement their own `HugeAuthenticator` interface to integrate with their existing authentication systems.
 

content/en/docs/guides/security.md

@@ -6,6 +6,14 @@ weight: 7
 
 ## Reporting New Security Problems with Apache HugeGraph
 
+> ⚠️ **SEC Reminder: Notice to Vulnerability Researchers Regarding Graph Query Languages**
+>
+> Given the inherent parsing and execution flexibility of graph query languages (like Gremlin/Cypher), HugeGraph strongly recommends relying on the **"[Auth (Authentication)](/docs/config/config-authentication/) + IP Whitelist + Audit Log"** mechanism in production environments to adhere to the Principle of Least Privilege. Furthermore, since Server nodes are essentially stateless, **it is explicitly advised to use [Containerized Environments (Docker/K8s)](/docs/quickstart/hugegraph/hugegraph-server/#31-use-docker-container-convenient-for-testdev) for isolated deployments in all production environments**.
+>
+> Recently, the community has received numerous security reports concerning the flexibility of graph queries. Until the overall HugeGraph security architecture is fully refactored, known situations involving the execution of DSL queries under the premise of **not enabling/skipping the Auth system or avoiding authorized identities** will **no longer be treated individually as new vulnerabilities**.
+>
+> However, if a vulnerability can still be exploited in an environment where the **Auth system is enabled** by accessing it with an **anonymous or unauthorized identity**, or if one successfully **bypasses the IP whitelist / escapes the container** causing severe unauthorized access or underlying system destruction, we still consider this a high-risk security vulnerability and highly encourage you to report it to us at any time!
+
 Adhering to the specifications of ASF, the HugeGraph community maintains a highly proactive and open attitude towards addressing security issues in the **remediation** projects.
 
 We strongly recommend that users first report such issues to our dedicated security email list, with detailed procedures specified in the [ASF SEC](https://www.apache.org/security/committers.html) code of conduct.

content/en/docs/quickstart/hugegraph/hugegraph-server.md

@@ -33,7 +33,7 @@ There are four ways to deploy HugeGraph-Server components:
 - Method 3: Source code compilation
 - Method 4: One-click deployment
 
-**Note:** For production environments or environments exposed to the public network, you must use Java 11 and enable [Auth authentication](/docs/config/config-authentication/) to avoid security risks.
+> ⚠️ **SEC Reminder**: Due to the high flexibility of graph query languages (like Gremlin/Cypher), exposing native query endpoints directly presents potential security risks. Therefore, **please avoid exposing any query-related endpoints directly in public network environments**. In production environments, it is imperative to enable the **[Authentication System (Auth)](/docs/config/config-authentication/)** combined with an **IP Whitelist** to establish a dual assurance mechanism, along with an Audit Log to track specific query statements. It is heavily recommended to adopt a **[Containerized Environment (Docker/K8s)](#31-use-docker-container-convenient-for-testdev)** for deployment to achieve better system-level security isolation.
 
 #### 3.1 Use Docker container (Convenient for Test/Dev)
 

content/en/docs/quickstart/toolchain/hugegraph-hubble.md

@@ -409,6 +409,8 @@ HugeGraph supports Gremlin, a graph traversal query language of Apache TinkerPop
 
 After Gremlin query, below is the graph result display area, which provides 3 kinds of graph result display modes: [Graph Mode], [Table Mode], [Json Mode].
 
+> ⚠️ **SEC Reminder**: Hubble allows the direct input and execution of native Gremlin query statements on the web interface, which grants users relatively high operational privileges. **Please avoid exposing the Hubble service to public network environments**. It is recommended to ensure that the graph database server has enabled the **[Authentication System (Auth)](/docs/config/config-authentication/)** combined with an **IP Whitelist** for strict permission control when in use, preventing unauthorized access or malware execution risks.
+
 Support zoom, center, full screen, export and other operations.
 
 【Picture Mode】

content/en/docs/quickstart/toolchain/hugegraph-tools.md

@@ -142,6 +142,8 @@ Another way is to set the environment variable in the bin/hugegraph script:
 
 ##### 3.5 Gremlin Type，gremlin-execute and gremlin-schedule
 
+> ⚠️ **SEC Reminder**: The execution of Gremlin depends on the actual logic of the statements, which may involve scenarios such as large-scale data modification and high-risk system calls with potential implicit hazards. Please use this tool **only in secure and trusted network environments**. It is imperative to bind the backend graph database with the **[Authentication System (Auth)](/docs/config/config-authentication/)** and an **IP Whitelist** to restrict execution requests on the server side. Never hand over the tool or expose the execution entry to unauthorized personnel.
+
 - gremlin-execute, send Gremlin statements to HugeGraph-Server to execute query or modification operations, execute synchronously, and return results after completion
   - --file or -f, specify the script file to execute, UTF-8 encoding, mutually exclusive with --script
   - --script or -s, specifies the script string to execute, mutually exclusive with --file