{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Unauthenticated HTTP: create a webhook-equipped flow via the /configs suffix bypass (POST /api/v1/main/flows/configs), then trigger it via the open-url webhook endpoint (GET /api/v1/main/executions/webhook/configs/configs/<key>) -- isOpenUrl branch, not isConfigEndpoint",
  "variant_class": "alternate_trigger_via_openurl_webhook",
  "whitelist_branch": "isOpenUrl (startsWith) -- untouched by fix 28ff533d8",
  "alternate_trigger_on_vulnerable": true,
  "fixed_blocks_configs_create": true,
  "fixed_webhook_path_still_open": true,
  "bypass_rce_on_fixed": false,
  "runtime_stack": [
    "kestra-standalone",
    "h2-inmemory",
    "micronaut",
    "plugin-script-shell",
    "process-task-runner",
    "plugin-core-trigger-webhook"
  ],
  "marker_token": "VARIANT_KESTRA_RCE_1783230990_10553",
  "webhook_key": "variantSecretKey2026",
  "notes": "Alternate unauthenticated RCE trigger confirmed on v1.0.44 via the isOpenUrl (open-url startsWith) branch + ExecutionController /webhook endpoint -- a different AuthenticationFilter whitelist branch and a different endpoint than the parent repro (which used isConfigEndpoint + /trigger). The trigger path ends with the webhook key, not /configs, so it does not rely on the /configs suffix bypass at all. On fixed v1.0.45 the /configs create-bypass is closed (401) so no RCE; however the open webhook trigger path remains open (404 not 401), confirming the fix did not touch the isOpenUrl branch. Webhook being open is documented behavior; reported as alternate-trigger + defense-in-depth, NOT a bypass."
}
