{
  "variant_outcome": "confirmed",
  "variant_kind": "alternate_trigger",
  "bypass": false,
  "bypass_reason": "No official patch exists for CVE-2026-58377 (status Deferred; latest release v3.9.2 is the vulnerable version; master HEAD byte-identical to v3.9.2). There is no fix to bypass. The variant is an alternate trigger confirmed on the LATEST available code.",
  "distinct_from_parent": true,
  "distinct_reason": "Variant A targets a different controller (OpenApiLogController), a different URL prefix (/openapi/record/*), a different protected resource (audit-log table), and a different impact class (audit-log disclosure/forgery/tampering/destruction) — none of which appear in the CVE description. Variant B targets OpenApiPermissionController, which the CVE description mentions but the parent reproduction never exercised at runtime. Same root cause (missing Shiro @RequiresRoles + auth-only /** jwt filter), materially different entry points.",
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "privilege_escalation",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "authenticated low-privileged user JWT (ceshi/test role) + request body controlling apiId/callAuthId/apiAuthId",
  "trigger_path": "POST /jeecg-boot/sys/login (ceshi) -> GET/POST/DELETE /jeecg-boot/openapi/record/* and POST/GET /jeecg-boot/openapi/permission/* with X-Access-Token; negative control POST /openapi/add rejected",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": true,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": null,
  "inferred": false,
  "variants_tested": [
    {
      "id": "A",
      "controller": "OpenApiLogController",
      "url_prefix": "/openapi/record/*",
      "in_cve_description": false,
      "result": "confirmed",
      "operations": ["list (total=27)", "add (persisted, attributed to admin auth id)", "delete (DB 1->0)", "queryById"],
      "impact": "audit-log disclosure / forgery / tampering / destruction by low-priv user"
    },
    {
      "id": "B",
      "controller": "OpenApiPermissionController",
      "url_prefix": "/openapi/permission/*",
      "in_cve_description": true,
      "reproduced_by_parent": false,
      "result": "confirmed",
      "operations": ["add (granted permissions on admin auth id; 2 rows persisted)", "getOpenApi (retrieved defs for admin auth id)"],
      "impact": "grant/alter OpenAPI permissions on any auth record; enumerate OpenAPI surface"
    }
  ],
  "negative_control": {
    "endpoint": "POST /openapi/add (OpenApiController, @RequiresRoles({\"admin\"}))",
    "result": "rejected low-priv user",
    "message": "Subject does not have role [admin]"
  },
  "fix_status": "no_patch_available",
  "latest_version_tested": "v3.9.2 (commit 7df07a823fd558be857d0208ccae96342539fbc1); master HEAD 32a8dfe94f014f7a9d472bce83e08bb8cf9c10c3 byte-identical for affected controllers",
  "script_exit_code": 0,
  "idempotency_confirmed": true
}
