{
  "variant_stage": "vuln_variant",
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "AutoBangumi FastAPI on port 7892 \u2014 (V1) POST /api/v1/auth/login with default creds; (V2) POST /api/v1/setup/complete pre-auth takeover",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "docker",
    "AutoBangumi official ghcr images",
    "uvicorn/FastAPI",
    "SQLite"
  ],
  "tested_images": {
    "vulnerable_baseline": {
      "image": "ghcr.io/estrellaxd/auto_bangumi:3.2.6",
      "reported_version": "3.2.6"
    },
    "fixed_latest": {
      "image": "ghcr.io/estrellaxd/auto_bangumi:latest",
      "reported_version": "3.2.8"
    },
    "latest_beta": {
      "image": "ghcr.io/estrellaxd/auto_bangumi:3.3.0-beta.2",
      "reported_version": "3.3.0-beta.2"
    }
  },
  "variant_1_default_creds_bypass": {
    "vulnerable_3_2_6_login_ok": true,
    "vulnerable_3_2_6_admin_ok": true,
    "fixed_latest_login_ok": true,
    "fixed_latest_admin_ok": true,
    "latest_beta_login_ok": true
  },
  "variant_2_setup_complete_takeover": {
    "fixed_latest_takeover_ok": true,
    "reported_version": "3.2.8"
  },
  "dev_bypass_rule_out": {
    "no_auth_admin_access_observed": false,
    "note": "DEV_AUTH_BYPASS not active in official images (real VERSION shipped)"
  },
  "proof_artifacts": [
    "logs/vuln_variant/run.log",
    "logs/vuln_variant/vuln-startup.log",
    "logs/vuln_variant/latest-startup.log",
    "logs/vuln_variant/beta-startup.log",
    "logs/vuln_variant/setup-startup.log",
    "vuln_variant/artifacts/vuln-login.json",
    "vuln_variant/artifacts/vuln-rss.json",
    "vuln_variant/artifacts/latest-login.json",
    "vuln_variant/artifacts/latest-rss.json",
    "vuln_variant/artifacts/latest-noauth-rss.json",
    "vuln_variant/artifacts/beta-login.json",
    "vuln_variant/artifacts/beta-noauth-rss.json",
    "vuln_variant/artifacts/setup-status.json",
    "vuln_variant/artifacts/setup-complete.json",
    "vuln_variant/artifacts/setup-login.json",
    "vuln_variant/artifacts/setup-rss.json",
    "vuln_variant/artifacts/setup-oldlogin.json"
  ],
  "notes": "VARIANT 1 (bypass): default admin/adminadmin still authenticates via POST /api/v1/auth/login on the patched :latest (=3.2.8) and :3.3.0-beta.2; add_default_user() + login handler unchanged from 3.2.6->HEAD (modulo async DB refactor). Referenced fix 487bdfec is SSRF hardening of /setup/test-*, does NOT remediate default credentials. VARIANT 2 (alternate trigger): pre-auth POST /api/v1/setup/complete on a fresh instance resets the auto-seeded admin account to attacker-chosen creds (no default password needed) -> full admin access; different entry point, same impact, reproduces on fixed/latest. RULE-OUT: DEV_AUTH_BYPASS inactive in official images (no-auth /api/v1/rss -> 401)."
}