[variant] generating RSA-2048 (RS256), EC prime256v1 (ES256), Ed25519 (EdDSA) keypairs [variant] pubkey sizes: rsa=451 ec=178 ed=113 [variant] ensuring docker images are available [variant] cleaning up containers and network [variant] creating docker network apisix-cve2026-variant [variant] starting upstream (python http.server) [variant] starting client helper [variant] === VULNERABLE: starting APISIX image apache/apisix:3.16.0-debian === [variant] waiting for vulnerable APISIX admin API [variant] vulnerable APISIX admin API ready [*] role=vulnerable [*] create consumer jack-rs (RS256): 201 [*] create consumer jack-ec (ES256): 201 [*] create consumer jack-ed (EdDSA): 201 [*] create route jwt-auth: 201 [*] no-jwt control: 401 (expect 401) [*] RS256 forged HS256 -> 200 [BYPASS] body=