{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "variant_kind": "bypass_of_fix",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "POST /api/auth/login body {\"password\":\"123456\"} (hardcoded INITIAL_PASSWORD fallback) on a fresh install; issued auth_token cookie reused directly. For latest v0.4.80 a non-loopback Host header simulates a remote client and bypasses the UI-only mustChangePassword guard.",
  "trigger_path": "POST /api/auth/login -> login/route.js default-password branch -> setDashboardAuthCookie -> dashboardGuard verifyDashboardAuthToken accepts -> /dashboard 200 + /api/keys 200",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": null,
  "inferred": false,
  "tested_targets": {
    "vulnerable_v0.4.41": {
      "commit_sha": "cebc72e343dca5aad69b2828cb0d0f2e54b168d",
      "default_pw_login": 200,
      "dashboard_with_cookie": 200,
      "api_keys_with_cookie": 200,
      "no_cookie_control": 307,
      "result": "variant reproduces (expected; pre-fix)"
    },
    "fixed_v0.4.44": {
      "commit_sha": "9e87935c0e53f46d6ae04fbec656fc4d971547d7",
      "default_pw_login": 200,
      "dashboard_with_cookie": 200,
      "api_keys_with_cookie": 200,
      "no_cookie_control": 307,
      "result": "BYPASS CONFIRMED — variant survives the JWT-secret fix"
    },
    "latest_v0.4.80_remote": {
      "commit_sha": "515e2cc4300ace55650ae366414cd51ef3d675df",
      "default_pw_login": 200,
      "login_body": "{\"success\":true,\"mustChangePassword\":true}",
      "dashboard_with_cookie_direct": 200,
      "api_keys_with_cookie_direct": 200,
      "no_cookie_control": 307,
      "result": "BYPASS CONFIRMED — v0.4.80 'remote default-password guard' is UI-only and bypassed via direct cookie use"
    }
  },
  "verdict": "A distinct variant/bypass is confirmed. The CVE-2026-49352 JWT-secret fix (fe3ce25ae) is complete for the JWT-secret instance but does not cover the sibling hardcoded default login password '123456', which enables the same unauthenticated remote auth-bypass impact via a different entry point (POST /api/auth/login) on the fixed (v0.4.44) and latest (v0.4.80) versions. The latest version's mitigating guard is ineffective (UI-only).",
  "exit_code": 0
}
