{
  "variant_id": "CVE-2026-58165-variant-2026-07-05",
  "created_at": "2026-07-05T00:00:00Z",
  "variant_summary": "Alternative enrollment types (OTT-CA, UPDB) and CRUD/list paths for admin enrollments are blocked by the CVE-2026-58165 fix; no bypass found.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "github.com/openziti/ziti",
  "submitted_target": {
    "target_kind": "git_commit",
    "commit_sha": "c2e6c8ee3da42321ef22442c8d25d0413caf4a4f",
    "version": "2.0.0",
    "ref": "c2e6c8ee3da42321ef22442c8d25d0413caf4a4f",
    "display": "openziti/ziti@2.0.0 (vulnerable commit c2e6c8ee3)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "45b5046f5259e685d7d99e54564c7e38eec9f1f7",
    "version": "latest main",
    "ref": "main",
    "display": "openziti/ziti@main (latest tested 45b5046f5)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "OpenZiti controller management API /edge/management/v1/enrollments",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "OpenZiti controller management API /enrollments (POST, GET, GET/POST/DELETE by id) and unauthenticated /enroll redeem endpoint",
  "attacker_controlled_input": "Authenticated non-admin management API session with enrollment permission; POST /enrollments body targeting an admin identityId; custom list filter queries; pre-existing admin enrollment token",
  "trigger_path": "OpenZiti controller management API /enrollments -> Create/Detail/Refresh/Delete/List, and unauthenticated /enroll token redemption",
  "observed_impact_class": "privilege_escalation",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "The CVE-2026-58165 fix (commit 3027fdffd) and its follow-up (commit 5fb197935) block all tested variant paths: OTT-CA, UPDB, list queries, detail/refresh/delete of admin enrollments. No bypass demonstrated.",
  "file_path": "controller/internal/routes/enrollment_router.go",
  "line_start": 80,
  "line_end": 220,
  "secondary_anchors": [
    {
      "file_path": "controller/internal/routes/enrollment_router.go",
      "line_start": 80,
      "line_end": 220
    },
    {
      "file_path": "tests/permissions_enrollment_test.go",
      "line_start": 258,
      "line_end": 335
    }
  ],
  "review_scope_paths": [
    "controller/internal/routes/enrollment_router.go",
    "controller/internal/routes/enroll_router.go",
    "controller/internal/routes/identity_router.go",
    "controller/model/enrollment_manager.go",
    "controller/model/identity_manager.go",
    "tests/permissions_enrollment_test.go"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/runtime_manifest.json",
    "repro_log": "logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "vuln_variant/reproduction_steps.sh",
      "vuln_variant/cve_2026_58165_variant_test.go"
    ]
  }
}
