=== CVE-2026-58165 Reproduction === ROOT=/data/pruva/runs/d7f19659-5953-4321-a167-f693b707cbdb/bundle PROJECT_CACHE_DIR=/data/pruva/project-cache/92b8f1e5-395e-41fd-8f92-ae0d5f2888dc REPO=/data/pruva/project-cache/92b8f1e5-395e-41fd-8f92-ae0d5f2888dc/repo LOG_FILE=/data/pruva/runs/d7f19659-5953-4321-a167-f693b707cbdb/bundle/logs/reproduction_steps.log go version go1.26.4 linux/amd64 Resolving commits... VULN_COMMIT=c2e6c8ee3da42321ef22442c8d25d0413caf4a4f FIXED_COMMIT=3027fdffd3e57884487b7c46e5e669cfbc8becdf Verifying patch presence... Fixed commit contains enrollment_router.go patch. Vulnerable commit does not contain the expected patch. === Running vulnerable (c2e6c8ee3da42321ef22442c8d25d0413caf4a4f) === Previous HEAD position was 3027fdffd Prevent enrollment-based privilege escalation to admin identities. Fixes #4010 HEAD is now at c2e6c8ee3 Merge pull request #3917 from openziti/convert-router-forwarder Running go test... Result file: { "vulnerable": true, "fixed": false, "admin_identity_id": "q3b7dBW0UY", "enrollment_id": "3yjS5Nvl2zvG6h41hKlHwj", "create_status_code": 201, "create_response_body": "{\"data\":{\"_links\":{\"self\":{\"href\":\"./enrollments/3yjS5Nvl2zvG6h41hKlHwj\"}},\"id\":\"3yjS5Nvl2zvG6h41hKlHwj\"},\"meta\":{}}\n", "created_identity_id": "MmZ7dF7oUY", "notes": "non-admin created an enrollment for an admin identity, redeemed it, and performed an admin-only operation" } === Running fixed (3027fdffd3e57884487b7c46e5e669cfbc8becdf) === Previous HEAD position was c2e6c8ee3 Merge pull request #3917 from openziti/convert-router-forwarder HEAD is now at 3027fdffd Prevent enrollment-based privilege escalation to admin identities. Fixes #4010 Running go test... Result file: { "vulnerable": false, "fixed": true, "admin_identity_id": "xUab8Pbqx0", "enrollment_id": "", "create_status_code": 401, "create_response_body": "{\"error\":{\"cause\":{\"code\":\"UNHANDLED\",\"message\":\"non-admins may not manage enrollments for admin identities\"},\"code\":\"UNAUTHORIZED\",\"message\":\"The request could not be completed. The session is not authorized or the credentials are invalid\",\"requestId\":\"kZ3b87bVr\"},\"meta\":{\"apiEnrollmentVersion\":\"0.0.1\",\"apiVersion\":\"0.0.1\"}}\n", "created_identity_id": "", "notes": "non-admin create enrollment for admin identity returned 401 (fixed behavior)" } === Summary === Vulnerable commit create-status: 201 Fixed commit create-status: 401 CONFIRMED: privilege escalation possible on vulnerable commit and blocked on fixed commit. === CVE-2026-58165 Reproduction === ROOT=/data/pruva/runs/d7f19659-5953-4321-a167-f693b707cbdb/bundle PROJECT_CACHE_DIR=/data/pruva/project-cache/92b8f1e5-395e-41fd-8f92-ae0d5f2888dc REPO=/data/pruva/project-cache/92b8f1e5-395e-41fd-8f92-ae0d5f2888dc/repo LOG_FILE=/data/pruva/runs/d7f19659-5953-4321-a167-f693b707cbdb/bundle/logs/reproduction_steps.log go version go1.26.4 linux/amd64 Resolving commits... VULN_COMMIT=c2e6c8ee3da42321ef22442c8d25d0413caf4a4f FIXED_COMMIT=3027fdffd3e57884487b7c46e5e669cfbc8becdf Verifying patch presence... Fixed commit contains enrollment_router.go patch. Vulnerable commit does not contain the expected patch. === Running vulnerable (c2e6c8ee3da42321ef22442c8d25d0413caf4a4f) === Previous HEAD position was 3027fdffd Prevent enrollment-based privilege escalation to admin identities. Fixes #4010 HEAD is now at c2e6c8ee3 Merge pull request #3917 from openziti/convert-router-forwarder Running go test... Result file: { "vulnerable": true, "fixed": false, "admin_identity_id": "hRhUAw5Ndb", "enrollment_id": "1UkobWToMHxoArbRPLzQ34", "create_status_code": 201, "create_response_body": "{\"data\":{\"_links\":{\"self\":{\"href\":\"./enrollments/1UkobWToMHxoArbRPLzQ34\"}},\"id\":\"1UkobWToMHxoArbRPLzQ34\"},\"meta\":{}}\n", "created_identity_id": "dghUVwSBdb", "notes": "non-admin created an enrollment for an admin identity, redeemed it, and performed an admin-only operation" } === Running fixed (3027fdffd3e57884487b7c46e5e669cfbc8becdf) === Previous HEAD position was c2e6c8ee3 Merge pull request #3917 from openziti/convert-router-forwarder HEAD is now at 3027fdffd Prevent enrollment-based privilege escalation to admin identities. Fixes #4010 Running go test... Result file: { "vulnerable": false, "fixed": true, "admin_identity_id": "hB2B9mNX8-", "enrollment_id": "", "create_status_code": 401, "create_response_body": "{\"error\":{\"cause\":{\"code\":\"UNHANDLED\",\"message\":\"non-admins may not manage enrollments for admin identities\"},\"code\":\"UNAUTHORIZED\",\"message\":\"The request could not be completed. The session is not authorized or the credentials are invalid\",\"requestId\":\"6K2B9mNin\"},\"meta\":{\"apiEnrollmentVersion\":\"0.0.1\",\"apiVersion\":\"0.0.1\"}}\n", "created_identity_id": "", "notes": "non-admin create enrollment for admin identity returned 401 (fixed behavior)" } === Summary === Vulnerable commit create-status: 201 Fixed commit create-status: 401 CONFIRMED: privilege escalation possible on vulnerable commit and blocked on fixed commit.