{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "POST /api/v1/auth/login (AutoBangumi FastAPI authentication endpoint, port 7892)",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "docker",
    "AutoBangumi 3.2.6 (ghcr.io/estrellaxd/auto_bangumi:3.2.6)",
    "uvicorn/FastAPI",
    "SQLite"
  ],
  "proof_artifacts": [
    "logs/run.log",
    "logs/vuln-1-startup.log",
    "logs/vuln-2-startup.log",
    "logs/fixed-1-startup.log",
    "logs/fixed-2-startup.log",
    "artifacts/http/vuln-1-login.json",
    "artifacts/http/vuln-2-login.json",
    "artifacts/http/vuln-1-rss.json",
    "artifacts/http/vuln-1-log.json",
    "artifacts/http/vuln-2-rss.json",
    "artifacts/http/vuln-2-log.json",
    "artifacts/http/fixed-1-login.json",
    "artifacts/http/fixed-2-login.json"
  ],
  "notes": "Vulnerable 3.2.6: fresh empty DB triggers add_default_user() seeding admin/adminadmin; POST /api/v1/auth/login with admin/adminadmin returns HTTP 200 + admin JWT (sub=admin); JWT cookie grants access to admin-only /api/v1/rss and /api/v1/log. Negative control 3.2.8 still seeds the default user and still accepts the login (referenced fix commit 487bdfec addresses SSRF #1041, not default credentials). Source: add_default_user seeds admin/adminadmin (confirmed in source). confirmed=1"
}