{
  "entrypoint_kind": "endpoint",
  "entrypoint_detail": "Authenticated Member -> POST /terminal/auth + /terminal/auth/ips -> WebSocket /terminal/ws -> terminal-server.js node-pty ssh command to managed host",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "coolify-laravel",
    "coolify-realtime-terminal-server",
    "websocket",
    "node-pty",
    "openssh-client",
    "managed-host-ssh"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/vuln_result.txt",
    "logs/fixed_result.txt",
    "logs/ws_client_vuln.log",
    "logs/ws_client_fixed.log",
    "logs/terminal_vuln.log",
    "logs/terminal_fixed.log",
    "logs/managed_host_vuln.log",
    "logs/managed_host_fixed.log",
    "logs/server.log"
  ],
  "notes": "Confirmed API/WebSocket terminal authorization bypass to managed-host command execution. Vulnerable Member session received terminal host IPs, opened /terminal/ws, terminal-server.js spawned ssh via node-pty, and managed host executed the attacker-supplied shell payload and returned REPRO_WS_COMMAND_EXECUTED. Fixed middleware returns 403 and WebSocket fails closed before managed-host execution."
}