{
  "analysis_version": 1,
  "parent_cve": "CVE-2026-49352",
  "parent_root_cause": "9router uses a hardcoded, publicly-known default value as an authentication secret (the JWT signing secret '9router-default-secret-change-me') when the operator has not configured JWT_SECRET, enabling unauthenticated remote auth bypass on a default install.",
  "variant_root_cause": "9router uses a hardcoded, publicly-known default value as an authentication credential (the dashboard login password '123456' = INITIAL_PASSWORD fallback) when the operator has not set a password (no saved hash), enabling unauthenticated remote auth bypass on a default/fresh install.",
  "equivalence_class": "hardcoded_default_auth_credential_enabling_unauthenticated_remote_authz_bypass",
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "reasoning": "Both the parent and the variant are instances of the same pattern: a constant, publicly-documented default credential baked into the codebase is accepted by the auth subsystem when the operator has not configured a replacement, so any unauthenticated remote attacker who can reach the dashboard HTTP port can authenticate and obtain full dashboard + protected-API access. The parent instance is the JWT signing secret (credential = HMAC key, entry point = forged auth_token cookie). The variant instance is the login password (credential = shared password, entry point = POST /api/auth/login). Same impact class (authz_bypass), same trust boundary (unauthenticated remote attacker -> server), same default-install precondition. The CVE fix (fe3ce25ae) patched only the JWT-secret instance; the default-password instance is untouched and remains exploitable on the fixed and latest versions.",
  "differences": [
    "Credential type: HMAC signing secret (parent) vs shared login password (variant).",
    "Entry point: forging auth_token cookie offline with the known secret, no server round-trip (parent) vs a single POST /api/auth/login round-trip that mints a genuinely valid server-signed cookie (variant).",
    "Precondition scope: parent affected any install without JWT_SECRET (indefinite); variant affects fresh installs with no saved password hash (until a manual password change), a narrower but common/default-deployment window."
  ],
  "distinct_from_separate_unrelated_bugs": "This is NOT an unrelated bug reframed as a bypass. It shares the exact root-cause class (hardcoded default auth credential) and the exact security objective the fix was meant to restore (no unauthenticated remote auth bypass on a default install). The project itself later added a 'remote default-password guard' (v0.4.80), corroborating that the default password is part of the same security concern, not acceptable documented behavior.",
  "fix_completeness_for_the_class": "incomplete — the JWT-secret instance is fully fixed; the default-password instance is not, and the latest version's mitigating guard is UI-only and bypassable.",
  "anchors": {
    "parent_sink": "src/lib/auth/dashboardSession.js (SECRET fallback) — fixed in fe3ce25ae",
    "variant_sink": "src/app/api/auth/login/route.js lines 37-38 (INITIAL_PASSWORD || '123456') — NOT fixed; middleware sink src/dashboardGuard.js verifyDashboardAuthToken accepts the server-issued cookie"
  }
}
