{
  "variant_id": "pruva-cve-2026-34047-negative-api-token-private-key-candidate",
  "created_at": "2026-07-07T00:00:00Z",
  "variant_summary": "No distinct fixed-version bypass was confirmed. The ticket-suggested Member API-token/private-key path was tested on vulnerable and fixed Coolify versions and did not disclose private key material; source review found the terminal WebSocket sink remains covered by the patched terminal bootstrap middleware.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/coollabsio/coolify",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "575b0766d12bad2a78febff72ab59c017772bcf7",
    "version": "4.0.0-beta.470",
    "ref": "v4.0.0-beta.470",
    "display": "Coolify v4.0.0-beta.470 (vulnerable parent target)"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "914d7e0b50505bc1fd56c34974fca09ad354e92a",
    "version": "4.0.0-beta.471",
    "ref": "v4.0.0-beta.471",
    "display": "Coolify v4.0.0-beta.471 (fixed target tested for bypass)"
  },
  "same_root_cause_confidence": 0.15,
  "same_surface_confidence": 0.3,
  "claimed_surface": "Authenticated Member direct access to terminal backend bootstrap routes leading to WebSocket terminal SSH command execution",
  "validated_surface": "Negative result: Member API-token/private-key candidate executed; terminal WebSocket sink source-reviewed as covered by patched middleware; no bypass confirmed",
  "required_entrypoint_kind": "api_and_websocket",
  "required_entrypoint_detail": "Parent: POST /terminal/auth + POST /terminal/auth/ips -> WebSocket /terminal/ws command. Candidate tested: Member token creation -> /api/v1/security/keys sensitive-data serialization.",
  "attacker_controlled_input": "Authenticated low-privileged Member session, WebSocket command payload in parent; Member-created read/write API token in candidate",
  "trigger_path": [
    "routes/web.php:/terminal/auth",
    "routes/web.php:/terminal/auth/ips",
    "docker/coolify-realtime/terminal-server.js:/terminal/ws",
    "app/Livewire/Security/ApiTokens.php:addNewToken",
    "routes/api.php:/api/v1/security/keys",
    "app/Http/Controllers/Api/SecurityController.php:keys"
  ],
  "observed_impact_class": "none_new_variant",
  "exploitability_confidence": 0.1,
  "evidence_scope": "runtime_negative_candidate_and_source_review",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "The fixed terminal bootstrap routes enforce can.access.terminal for Members, and the distinct API-token/private-key candidate did not leak private_key without read:sensitive/root ability.",
  "blocking_mitigation": "can.access.terminal middleware on /terminal/auth and /terminal/auth/ips; ApiSensitiveData requires read:sensitive/root for private_key serialization.",
  "file_path": "routes/web.php",
  "line_start": 160,
  "line_end": 199,
  "secondary_anchors": [
    {
      "file_path": "docker/coolify-realtime/terminal-server.js",
      "line_start": 76,
      "line_end": 300
    },
    {
      "file_path": "app/Http/Middleware/CanAccessTerminal.php",
      "line_start": 14,
      "line_end": 24
    },
    {
      "file_path": "app/Http/Middleware/ApiSensitiveData.php",
      "line_start": 11,
      "line_end": 18
    },
    {
      "file_path": "app/Http/Controllers/Api/SecurityController.php",
      "line_start": 12,
      "line_end": 57
    }
  ],
  "review_scope_paths": [
    "routes/web.php",
    "routes/api.php",
    "docker/coolify-realtime/terminal-server.js",
    "docker/coolify-realtime/terminal-utils.js",
    "app/Http/Middleware/CanAccessTerminal.php",
    "app/Providers/AuthServiceProvider.php",
    "app/Livewire/Security/ApiTokens.php",
    "app/Policies/ApiTokenPolicy.php",
    "app/Http/Middleware/ApiSensitiveData.php",
    "app/Http/Controllers/Api/SecurityController.php",
    "SECURITY.md"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
