{
  "variant_id": "CVE-2026-8054-variant-001",
  "created_at": "2026-07-01T15:25:58Z",
  "variant_summary": "No distinct bypass or alternate entry point confirmed for CVE-2026-8054. Exhaustive testing of the fixed dotCMS 26.04.28-03 build shows the patch parameterizes the SQL sink and authenticates all external paths to the Publish Audit API.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/dotCMS/core",
  "submitted_target": {
    "target_kind": "docker_image",
    "version": "25.11.04-1 through 26.04.28-02",
    "ref": "dotcms/dotcms:26.04.28-02",
    "display": "dotCMS Core 26.04.28-02 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "docker_image",
    "version": "26.04.28-03",
    "ref": "dotcms/dotcms:26.04.28-03",
    "commit_sha": "6a5f4188715baaf5b4ffdf0f8f80c402ccfb97ab",
    "display": "dotCMS Core 26.04.28-03 (fixed)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "POST /api/auditPublishing/getAll (original sink); also tested GET /api/auditPublishing/get/{bundleId} and body/header bypass attempts",
  "attacker_controlled_input": "HTTP request body JSON array elements and path/header values",
  "trigger_path": "POST /api/auditPublishing/getAll",
  "observed_impact_class": "none",
  "exploitability_confidence": "low",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "fix_covers_surface",
  "blocking_mitigation": "Patch 26.04.28-03 parameterizes the bundle-id IN clause in PublishAuditAPIImpl.getPublishAuditStatuses and enforces push-publish authentication in AuditPublishingResource.",
  "file_path": "dotCMS/src/main/java/com/dotcms/publisher/business/PublishAuditAPIImpl.java",
  "line_start": 226,
  "line_end": 251,
  "secondary_anchors": [
    {
      "file_path": "dotCMS/src/main/java/com/dotcms/rest/AuditPublishingResource.java",
      "line_start": 28,
      "line_end": 85
    },
    {
      "file_path": "dotCMS/src/main/java/com/dotcms/publisher/pusher/AuthCredentialPushPublishUtil.java",
      "line_start": 150,
      "line_end": 180
    }
  ],
  "review_scope_paths": [
    "dotCMS/src/main/java/com/dotcms/publisher/business/PublishAuditAPIImpl.java",
    "dotCMS/src/main/java/com/dotcms/rest/AuditPublishingResource.java",
    "dotCMS/src/main/java/com/dotcms/publisher/pusher/AuthCredentialPushPublishUtil.java",
    "dotCMS/src/main/java/com/dotcms/rest/PushPublishResourceUtil.java"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant_reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": ["bundle/vuln_variant/reproduction_steps.sh"]
  }
}
