{
  "variant_id": "pruva-grav-cve-2026-56700-negative-001",
  "created_at": "2026-07-05T00:00:00Z",
  "variant_summary": "No in-scope bypass confirmed. A signed JobQueue serialized_job reaches the fixed HMAC-verified unserialize path, but only when generated with the server-side Security::getNonceKey() in the local process; unsigned/tampered remote-style payloads are blocked by 2.0.0-beta.2.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/getgrav/grav",
  "submitted_target": {
    "target_kind": "release_tag",
    "commit_sha": "26a2d519c59c620e2b0a54d0baf33889d7d5db0a",
    "version": "2.0.0-beta.1",
    "ref": "refs/tags/2.0.0-beta.1",
    "display": "Grav CMS 2.0.0-beta.1"
  },
  "variant_target": {
    "target_kind": "release_tag",
    "commit_sha": "f95b0ff51a655edcbcc060a3d74b43e3f20b9585",
    "version": "2.0.0-beta.2",
    "ref": "refs/tags/2.0.0-beta.2",
    "display": "Grav CMS 2.0.0-beta.2 fixed/latest tested tag"
  },
  "same_root_cause_confidence": 0.8,
  "same_surface_confidence": 0.2,
  "claimed_surface": "api_remote",
  "validated_surface": "local_cli_probe_only",
  "required_entrypoint_kind": "local_cli_probe",
  "required_entrypoint_detail": "Local PHP probe that can call Security::getNonceKey() and write a signed JobQueue queue file before calling JobQueue::pop().",
  "attacker_controlled_input": "serialized_job plus serialized_job_hmac signed in the local server context",
  "trigger_path": "variant_jobqueue_hmac_probe.php -> JobQueue::pop() -> JobQueue::reconstructJob() -> HMAC-verified unserialize(serialized_job) -> Job::run/system",
  "observed_impact_class": "code_execution_out_of_scope",
  "exploitability_confidence": "low",
  "evidence_scope": "runtime_local_probe_and_source_review",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "Requires valid server-side HMAC key/same-process signing and therefore does not cross the same remote/API trust boundary as the parent exploit.",
  "blocking_mitigation": "2.0.0-beta.2 HMAC integrity checks for JobQueue/FileCache/Session serialized payloads and shell-argument quoting for InstallCommand gitclone.",
  "file_path": "system/src/Grav/Common/Scheduler/JobQueue.php",
  "line_start": 471,
  "line_end": 481,
  "secondary_anchors": [
    {
      "file_path": "system/src/Grav/Framework/Cache/Adapter/FileCache.php",
      "line_start": 75,
      "line_end": 109
    },
    {
      "file_path": "system/src/Grav/Common/Session.php",
      "line_start": 97,
      "line_end": 132
    },
    {
      "file_path": "system/src/Grav/Console/Cli/InstallCommand.php",
      "line_start": 151,
      "line_end": 162
    }
  ],
  "review_scope_paths": [
    "system/src/Grav/Common/Scheduler/JobQueue.php",
    "system/src/Grav/Framework/Cache/Adapter/FileCache.php",
    "system/src/Grav/Common/Session.php",
    "system/src/Grav/Console/Cli/InstallCommand.php",
    "SECURITY.md",
    "CHANGELOG.md"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/run.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
