{
  "variant_outcome": "alternate_trigger_confirmed",
  "is_bypass": false,
  "is_distinct_variant": true,
  "variant_confirmed_on_vulnerable": true,
  "variant_confirmed_on_fixed": false,
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "code_execution",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "Livewire method argument $name to server.destinations.add() = 'x;id > /tmp/coolify_variant_pwned_<tag> 2>&1 #' (shell metacharacters ; > #)",
  "trigger_path": "Authenticated POST /livewire/update -> server.destinations add($name) -> StandaloneDocker::create(['network'=>$name]) -> StandaloneDocker::created -> instant_remote_process(['docker network inspect $name ...'],$server) -> ssh root@server 'bash -se' << delim (unsanitized network executed by remote bash as root)",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "exploit_chain_demonstrated": true,
  "vulnerable_result": {
    "image": "ghcr.io/coollabsio/coolify:4.0.0-beta.470",
    "commit_sha": "575b0766d12bad2a78febff72ab59c017772bcf7",
    "livewire_update_status": 200,
    "attempts": 2,
    "markers_present": 2,
    "marker_content": "uid=0(root) gid=0(root) groups=0(root)",
    "command_executed_as_root": true
  },
  "fixed_result": {
    "image": "ghcr.io/coollabsio/coolify:4.0.0-beta.471",
    "commit_sha": "914d7e0b50505bc1fd56c34974fca09ad354e92a",
    "fix_merge_commit": "9e96a20a49f32e46d7a31e66e1aa6338b029f284",
    "livewire_update_status": 500,
    "attempts": 2,
    "markers_present": 0,
    "db_rows_with_malicious_network": 0,
    "blocking_exception": "InvalidArgumentException: Invalid Docker network name. Must start with alphanumeric and contain only alphanumeric characters, dots, hyphens, and underscores.",
    "blocking_exception_origin": "app/Models/StandaloneDocker.php:37 (setNetworkAttribute) <- app/Livewire/Server/Destinations.php:60 (add)",
    "command_executed_as_root": false
  },
  "blocking_mitigation": "App\\Models\\StandaloneDocker::setNetworkAttribute() model mutator added by PR #9228 throws InvalidArgumentException during StandaloneDocker::create() for network names not matching /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/, preventing the created boot event (and thus instant_remote_process) from running. NOTE: PR #9228 did NOT add regex validation to the server.destinations Livewire component's add($name) method; the model mutator is the sole defense covering this entry point.",
  "verdict_explanation": "A materially distinct alternate-trigger variant of CVE-2026-34594 was confirmed at runtime. The same root cause (unsanitized attacker-controlled Docker network name interpolated into the SSH bash -se here-doc via StandaloneDocker::created -> instant_remote_process) is reachable through a different Livewire component (server.destinations, method add($name)) that PR #9228 did not modify. On vulnerable beta.470 the variant executes arbitrary commands as root on the managed server (marker uid=0(root), 2/2). On fixed beta.471 the variant is blocked by the setNetworkAttribute model mutator (defense in depth), not by the fix's primary regex-validation layer (which was never applied to server.destinations.add()). This is an alternate trigger, not a bypass.",
  "inferred": false
}
