{ "run_id": "gitea-gitea--CVE-2026-20736-20260318035423", "system_id": "gitea", "advisory_id": "gitea--CVE-2026-20736", "repro_profile_id": "gitea-authz-bypass", "verification_status": "verified-real", "verification_mode": "real", "artifact_mode": "local-fixture", "target_env": "local-docker", "compose_services": [ "app" ], "baseline_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423/logs/baseline.json" ], "attack_steps": [ { "kind": "runner", "tool": "gitea.authz-bypass", "status": "completed", "status_code": 200, "result_path": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423/logs/attack.json" } ], "browser_refs": [], "browser_evidence": { "required": false, "present": false, "refs": [], "baseline_refs": [], "proof_refs": [], "baseline_title": null, "proof_title": null, "error_kind": null, "reason": null }, "container_log_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423/logs/docker/app.log" ], "request_log_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423/logs/attack.json", "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423/logs/baseline.json" ], "compose_refs": [ "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423/compose/compose.yaml" ], "timeline": [ { "at": "2026-03-18T03:54:23+00:00", "step": "select-advisory", "status": "completed", "detail": "gitea--CVE-2026-20736" }, { "at": "2026-03-18T03:54:23+00:00", "step": "resolve-repro-profile", "status": "completed", "detail": "gitea-authz-bypass" }, { "at": "2026-03-18T03:54:23+00:00", "step": "doctor", "status": "completed", "detail": "all checks passed" }, { "at": "2026-03-18T03:54:26+00:00", "step": "provision-compose-environment", "status": "ready", "detail": "" }, { "at": "2026-03-18T03:54:26+00:00", "step": "wait-ready", "status": "completed", "detail": "baseline urls ready (1)" }, { "at": "2026-03-18T03:54:26+00:00", "step": "seed-environment", "status": "completed", "detail": "steps=1" }, { "at": "2026-03-18T03:54:26+00:00", "step": "baseline-snapshot", "status": "completed", "detail": "urls=1" }, { "at": "2026-03-18T03:54:26+00:00", "step": "controlled-attack-chain", "status": "completed", "detail": "steps=1" }, { "at": "2026-03-18T03:54:26+00:00", "step": "collect-logs-and-evidence", "status": "completed", "detail": "container_logs=1" }, { "at": "2026-03-18T03:54:27+00:00", "step": "cleanup-compose-environment", "status": "completed", "detail": "docker compose down completed" }, { "at": "2026-03-18T03:54:27+00:00", "step": "update-registry-and-reports", "status": "completed", "detail": "gitea-gitea--CVE-2026-20736-20260318035423" } ], "success_evaluation": { "passed": true, "verification_status": "verified-real", "blocked_reason": null, "assertions": [ { "name": "baseline-ok", "kind": "baseline-ok", "passed": true, "detail": "baseline URLs responded without 5xx or transport errors" }, { "name": "runner-success", "kind": "runner-success", "passed": true, "detail": "server-side authorization recheck was bypassed" } ] }, "historical_status": "verified-real", "latest_status": "verified-real", "started_at": "2026-03-18T03:54:23+00:00", "finished_at": "2026-03-18T03:54:27+00:00", "blocked_reason": null, "report_refs": { "bundle_dir": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423", "report_md": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423/report.md", "report_html": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423/report.html", "timeline": "/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20736-20260318035423/timeline.mmd" } }