{
  "verdict": "alternate_trigger_confirmed_no_fixed_bypass",
  "confirmed_distinct_variant_or_bypass": false,
  "bypass_confirmed_on_fixed_version": false,
  "alternate_trigger_confirmed_on_vulnerable_version": true,
  "claim_outcome": "not_confirmed_as_bypass",
  "claim_block_reason": "The materially distinct Azure/Entra direct form_post id_token trigger authenticates on SimpleHelp 5.5.15 but patched 5.5.16 rejects the same forged token and remains unauthenticated.",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "submitted_target": {
    "target_kind": "commercial_binary_release",
    "version": "5.5.15",
    "display": "SimpleHelp 5.5.15 Linux server build 20260326-092709"
  },
  "variant_target": {
    "target_kind": "commercial_binary_release",
    "version": "5.5.16",
    "display": "SimpleHelp 5.5.16 Linux server build 20260526-203544 (fixed)"
  },
  "attacker_controlled_input": "forged Azure/Entra OIDC form-post id_token with alg:none, bogus signature, and attacker technician claims",
  "trigger_path": "GET /auth/v1/account/oidc_get for an oidc_azure provider returns response_type=id_token and response_mode=form_post; attacker posts forged id_token and server-issued state to POST /oidc; status checked with GET /auth/v1/account/status",
  "observed_impact_class": "authz_bypass_on_vulnerable_only",
  "exploitability_confidence": "high_for_vulnerable_alternate_trigger_low_for_fixed_bypass",
  "end_to_end_target_reached": true,
  "vulnerable_version_result": {
    "version": "5.5.15",
    "build": "20260326-092709",
    "status": "FULLY_AUTHENTICATED",
    "identity": "Forged Azure Attacker / azure-attacker@example.com"
  },
  "fixed_version_result": {
    "version": "5.5.16",
    "build": "20260526-203544",
    "status": "UNAUTHENTICATED",
    "failed_closed": true
  },
  "runtime_evidence": true,
  "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
  "reproducer": "bundle/vuln_variant/reproduction_steps.sh",
  "logs": [
    "bundle/logs/vuln_variant/reproduction_steps.log",
    "bundle/logs/vuln_variant/azure_flow_summary.json",
    "bundle/logs/vuln_variant/azure_vuln_flow.json",
    "bundle/logs/vuln_variant/azure_patched_flow.json",
    "bundle/logs/vuln_variant/azure_class_comparison.log"
  ],
  "inferred": false
}
