{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Unauthenticated remote POST /api/auth/login with hardcoded default password '123456' (INITIAL_PASSWORD fallback) on a fresh install (no saved password hash); issued auth_token cookie then used directly to access /dashboard and /api/keys.",
  "variant_type": "bypass_of_fix",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "tested_versions": {
    "vulnerable_v0.4.41": {
      "dashboard": "200",
      "api_keys": "200"
    },
    "fixed_v0.4.44": {
      "dashboard": "200",
      "api_keys": "200"
    },
    "latest_v0.4.80_remote": {
      "dashboard": "200",
      "api_keys": "200"
    }
  },
  "runtime_stack": [
    "node",
    "next.js 16",
    "9router-app v0.4.41 (vulnerable)",
    "9router-app v0.4.44 (JWT-fixed)",
    "9router-app v0.4.80 (latest)"
  ],
  "proof_artifacts": [
    "logs/vuln_variant/reproduction_steps.log",
    "logs/vuln_variant/vuln_v0.4.41_server.log",
    "logs/vuln_variant/fixed_v0.4.44_server.log",
    "logs/vuln_variant/latest_v0.4.80_server.log",
    "logs/vuln_variant/fixed_login_defaultpw_hdr.txt",
    "logs/vuln_variant/latest_remote_dashboard_hdr.txt",
    "logs/vuln_variant/latest_remote_apikeys_resp.txt",
    "logs/vuln_variant/latest_remote_cookies.txt",
    "logs/vuln_variant/tested_commits.txt",
    "artifacts/http-variant/"
  ],
  "notes": "Default-password (123456) login succeeds on a fresh install and issues a valid auth_token cookie on ALL three versions. v0.4.44 (JWT-fixed) accepts the cookie -> 200 on /dashboard and /api/keys = bypass of the JWT fix. v0.4.80 (latest) 'remote default-password guard' is UI-only (mustChangePassword hint read only by src/app/login/page.js); using the issued cookie directly with a non-loopback Host header (simulated remote) -> 200 on /dashboard and /api/keys = guard bypassed."
}