{
  "claim_outcome": "confirmed",
  "claim_block_reason": "null",
  "repro_result": "confirmed",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "Authenticated low-privileged Viewer user identity with serviceaccounts:read scoped only to alpha-sa; HTTP GET to /apis/iam.grafana.app/v0alpha1/namespaces/default/serviceaccounts",
  "trigger_path": "Real Grafana unified-storage HTTP endpoint GET /apis/iam.grafana.app/v0alpha1/namespaces/{org}/serviceaccounts -> IAM serviceaccount List -> common.List -> authzLimitedClient.Compile for iam.grafana.app/serviceaccounts. Vulnerable allowlist omits serviceaccounts and returns an always-true item checker, exposing beta-sa; fixed allowlist delegates to RBAC and filters beta-sa.",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": null,
  "inferred": false
}
