Verified reproduction
REPRO-2026-00077: GNU InetUtils telnetd Remote Authentication Bypass
REPRO-2026-00077 is verified against inetutils · gnu affected versions: 1.9.3 - 2.7 vulnerability class: Auth Bypass This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00077.
Severity CRITICAL
Confidence HIGH
Reproduced in 35m 50s
Tool calls 300
Affected 1.9.3 - 2.7
$
pruva-verify REPRO-2026-00077 or
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00077/artifacts/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Run in a VM or disposable container. This exploits a real vulnerability.
GNU InetUtils telnetd versions 1.9.3 through 2.7 accept the USER environment variable from telnet clients and pass it directly to login(1) without sanitization.
telnetd passes USER environment variable directly to login(1) without validation. When USER begins with -f root, login interprets -f as a flag to skip authentication.
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.
No artifacts available