{
  "variant_id": "CVE-2026-58453-vv-no-bypass-20260705",
  "created_at": "2026-07-05T00:00:00Z",
  "variant_summary": "Negative variant result: alternate NetSDK path /NetSDK/Network/interface/1 reaches the same default-credential auth sink on the vulnerable configuration but is blocked by the non-empty-password fixed control; no distinct bypass confirmed.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/jingwenyi/SmartCamera",
  "submitted_target": {
    "target_kind": "firmware",
    "version": "JAIOTlink C492A-W6 firmware 4.8.30.57701411",
    "display": "JAIOTlink C492A-W6 firmware 4.8.30.57701411 / anyka_ipc HTTP service"
  },
  "variant_target": {
    "target_kind": "source_commit_plus_runtime_configuration",
    "commit_sha": "a5bece938ff0dc019ead3d62fa6adefbc8c497fe",
    "ref": "a5bece938ff0dc019ead3d62fa6adefbc8c497fe",
    "display": "Anyka N1 libNkN1API.a at SmartCamera commit a5bece938ff0dc019ead3d62fa6adefbc8c497fe; vulnerable config admin empty vs fixed-control config admin fixed-secret"
  },
  "same_root_cause_confidence": 0.95,
  "same_surface_confidence": 0.9,
  "claimed_surface": "HTTP Basic admin empty password accepted by anyka_ipc NetSDK HTTP service",
  "validated_surface": "GET /NetSDK/System/deviceInfo and GET /NetSDK/Network/interface/1 over localhost TCP to qemu-arm Anyka N1 HTTP service",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "HTTP Basic Authorization header with username admin and an empty password against NetSDK endpoints",
  "attacker_controlled_input": "HTTP request path and Basic auth credential admin:",
  "trigger_path": [
    "HTTP GET /NetSDK/Network/interface/1",
    "N1_Device_HandleNetSDKHTTP / N1_Device_HandleNetSDK",
    "Basic Authorization parsing",
    "runtime user database populated by NK_N1Device_AddUser",
    "n1_usr_load factory fallback admin empty password"
  ],
  "observed_impact_class": "no_bypass_confirmed",
  "exploitability_confidence": 0.1,
  "evidence_scope": "runtime_negative_fixed_control",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "The same-root alternate NetSDK path succeeds only on the vulnerable empty-password configuration and returns HTTP 401 on the non-empty-password fixed control.",
  "blocking_mitigation": "Reject empty admin passwords and remove the factory fallback NK_N1Device_AddUser(\"admin\", \"\", 0); a non-empty configured password blocked tested NetSDK paths.",
  "file_path": "source/anyka_ipc/cloud/n1/src/n1_init.c",
  "line_start": 331,
  "line_end": 386,
  "secondary_anchors": [
    {
      "file_path": "source/anyka_ipc/cloud/n1/include/n1_device.h",
      "line_start": 285,
      "line_end": 285
    },
    {
      "file_path": "libNkN1API.a strings",
      "line_start": 1,
      "line_end": 1
    }
  ],
  "review_scope_paths": [
    "source/anyka_ipc/cloud/n1/src/n1_init.c",
    "source/anyka_ipc/cloud/n1/include/n1_device.h",
    "source/anyka_ipc/cloud/n1/libNkN1API.a",
    "writeups/02-default-http-credentials.md"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ],
    "patch_analysis": "bundle/vuln_variant/patch_analysis.md",
    "source_identity": "bundle/vuln_variant/source_identity.json",
    "candidate_results": "bundle/vuln_variant/candidate_results.jsonl"
  }
}
