{
  "variant_stage_outcome": "alternate_trigger_confirmed_not_bypass",
  "bypass_confirmed": false,
  "alternate_trigger_confirmed": true,
  "claim_outcome": "confirmed",
  "claim_block_reason": "fixed_version_rejects_variant_inputs",
  "repro_result": "confirmed_on_vulnerable_rejected_on_fixed",
  "validated_surface": "network_protocol",
  "evidence_scope": "production_path",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "JWT with valid exp but invalid issuer, invalid audience, or signature from an untrusted key, replayed directly in Kafka SASL/OAUTHBEARER initial client response",
  "trigger_path": "TCP connection to Kafka broker -> SaslHandshake(OAUTHBEARER) -> SaslAuthenticate(auth=Bearer <invalid JWT>) -> OAuthBearerValidatorCallbackHandler -> DefaultJwtValidator -> ClientJwtValidator on 4.1.0 / BrokerJwtValidator on 4.1.2",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": true,
  "blocking_mitigation": "Kafka 4.1.2 DefaultJwtValidator selects BrokerJwtValidator when jwks.endpoint.url is configured; BrokerJwtValidator rejects the invalid issuer/audience/signature variant inputs.",
  "inferred": false,
  "variant_matrix": {
    "alternate_trigger_confirmed_on_vulnerable": true,
    "bypass_confirmed_on_fixed": false,
    "valid_controls_ok": true,
    "vulnerable_variant_accepts": {
      "wrong_issuer": true,
      "wrong_audience": true,
      "tampered_signature": true
    },
    "fixed_variant_rejects": {
      "wrong_issuer": true,
      "wrong_audience": true,
      "tampered_signature": true
    },
    "fixed_variant_accepts": {
      "wrong_issuer": false,
      "wrong_audience": false,
      "tampered_signature": false
    },
    "tested_variants": [
      "wrong_issuer",
      "wrong_audience",
      "tampered_signature"
    ],
    "vulnerable_version": "4.1.0",
    "fixed_version": "4.1.2",
    "vulnerable_tag_commit": "13f70256db3c994c590e5d262a7cc50b9e973204",
    "fixed_tag_commit": "c82fd9b934b4c1e6fa799e3f1dcc8f08d997740c"
  }
}