{
  "variant_outcome": "confirmed",
  "variant_kind": "bypass_and_alternate_trigger",
  "confirmed_variants": [
    {
      "id": "variant-1-default-creds-bypass",
      "kind": "bypass",
      "summary": "Hard-coded default credentials admin/adminadmin still authenticate via POST /api/v1/auth/login on the FIXED/LATEST official image, granting an admin JWT and full admin API access. The referenced fix (commit 487bdfec, 3.2.8) is SSRF hardening of /setup/test-* and does not touch add_default_user() or the login handler; the exploit is byte-compatible from 3.2.6 through HEAD.",
      "reproduced_on_fixed_version": true,
      "reproduced_on_latest_version": true,
      "tested_targets": [
        {"image": "ghcr.io/estrellaxd/auto_bangumi:latest", "reported_version": "3.2.8", "commit_sha": "265b449fad6d753f061a09aaa03fcd3eb739a266", "login_status": 200, "admin_api_status": 200},
        {"image": "ghcr.io/estrellaxd/auto_bangumi:3.3.0-beta.2", "reported_version": "3.3.0-beta.2", "commit_sha": "c8f402fd687c443d91e6c6dc3474032b9a9182eb", "login_status": 200, "admin_api_status": 200}
      ],
      "vulnerable_baseline": {"image": "ghcr.io/estrellaxd/auto_bangumi:3.2.6", "reported_version": "3.2.6", "commit_sha": "717ad11f7fad572ee8fe8ffe7edfe68bde9624c8", "login_status": 200, "admin_api_status": 200}
    },
    {
      "id": "variant-2-setup-complete-takeover",
      "kind": "alternate_trigger",
      "summary": "Pre-auth POST /api/v1/setup/complete on a fresh instance resets the auto-seeded admin account's username/password to attacker-chosen values (no default credentials needed); the attacker then logs in with their own creds and gets full admin API access. Different entry point than /auth/login, same fresh-instance admin-takeover impact, reproduces on the fixed/latest version.",
      "reproduced_on_fixed_version": true,
      "reproduced_on_latest_version": true,
      "tested_targets": [
        {"image": "ghcr.io/estrellaxd/auto_bangumi:latest", "reported_version": "3.2.8", "commit_sha": "265b449fad6d753f061a09aaa03fcd3eb739a266", "setup_complete_status": 200, "attacker_login_status": 200, "admin_api_status": 200, "old_admin_login_status": 401}
      ]
    }
  ],
  "ruled_out_candidates": [
    {
      "id": "dev-auth-bypass",
      "summary": "DEV_AUTH_BYPASS in module/security/api.py returns 'dev_user' for all protected endpoints with zero credentials when module.__version__ is unimportable (VERSION == 'DEV_VERSION').",
      "ruled_out_reason": "Official Docker images ship a real module.__version__.VERSION (3.2.8 / 3.3.0-beta.2); no-auth GET /api/v1/rss returns 401 on every tested image. DEV_AUTH_BYPASS is not active in production images; latent only for source installs missing module/__version__.",
      "tested": true
    },
    {
      "id": "bearer-login-tokens",
      "summary": "Authorization: Bearer <token> bypass in get_current_user matches settings.security.login_tokens.",
      "ruled_out_reason": "login_tokens defaults to an empty list (module/models/config.py Security.login_tokens = Field(default_factory=list)); there are no default/known bearer tokens, so this is not a default-credentials variant.",
      "tested": true
    },
    {
      "id": "passkey-webauthn-login",
      "summary": "POST /api/v1/passkey/auth/verify issues a JWT after WebAuthn verification.",
      "ruled_out_reason": "Requires a registered passkey credential, which needs prior authenticated registration; on a fresh instance with only the seeded admin account no passkeys exist, so it cannot be used with default credentials. Not a default-credentials variant.",
      "tested": false
    }
  ],
  "fix_effectiveness": {
    "fix_commit": "487bdfec545e805ae416e6ddf28651bd274d6a73",
    "fix_version": "3.2.8",
    "fix_scope": "SSRF hardening of pre-auth /setup/test-downloader and /setup/test-rss endpoints plus raw-error echo reduction; qBittorrent 5.2 login compat.",
    "remediates_cve_2026_58466": false,
    "reason": "The fix does not modify add_default_user() (admin/adminadmin seeding), the POST /api/v1/auth/login handler, or the POST /api/v1/setup/complete admin-account reset. git diff 3.2.6..HEAD shows no root-cause change; 3.3.0-beta.2 only refactors to async DB + samesite=strict + logout GET->POST. The exact default-credential exploit and the pre-auth setup-complete takeover both reproduce on 3.2.8 and 3.3.0-beta.2."
  },
  "evidence_scope": "production_path",
  "validated_surface": "api_remote",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": null,
  "inferred": false,
  "notes": "Exit 0 from bundle/vuln_variant/reproduction_steps.sh = bypass/variant reproduced on the FIXED/LATEST version. Two consecutive idempotent runs both exited 0 with identical evidence."
}
