Verified — AutoBangumi before 3.2.8 seeds a default admin account on empty databases, allowing unauthenticated users to log in with publicly known default credentials and gain full control.
Severity CRITICAL
Confidence HIGH
Reproduced in 14m 56s
Tool calls 128
Spend $2.02
Affected < 3.2.8
Fixed in 3.2.8
$
pruva-verify REPRO-2026-00219 or
curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00219/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Run in a VM or disposable container. This exploits a real vulnerability.
AutoBangumi versions prior to 3.2.8 create a default administrator account when the users table is empty. The credentials are hard-coded and publicly known, enabling unauthenticated attackers to log in via the authentication endpoint and obtain full administrative access to the application.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.
bundle/ticket.md2.1 KBbundle/ticket.json3.0 KBbundle/logs/pull-vuln.log0.2 KBbundle/logs/pull-fixed.log0.2 KBbundle/logs/run.log16.4 KBbundle/logs/vuln-1-startup.log2.0 KBbundle/logs/vuln-2-startup.log2.0 KBbundle/logs/fixed-1-startup.log2.0 KBbundle/logs/fixed-2-startup.log2.0 KBbundle/repro/ab_probe.py1.5 KBbundle/repro/runtime_manifest.json1.3 KBbundle/repro/validation_verdict.json0.9 KBbundle/logs/vuln_variant/run.log2.7 KBbundle/logs/vuln_variant/pull-auto_bangumi:3.2.6.log0.2 KBbundle/logs/vuln_variant/pull-auto_bangumi:latest.log0.2 KBbundle/logs/vuln_variant/pull-auto_bangumi:3.3.0-beta.2.log0.2 KBbundle/logs/vuln_variant/vuln-startup.log2.0 KBbundle/logs/vuln_variant/latest-startup.log2.0 KBbundle/logs/vuln_variant/beta-startup.log2.1 KBbundle/logs/vuln_variant/setup-startup.log2.0 KBbundle/logs/vuln_variant/fixed_version.txt0.3 KBbundle/logs/vuln_variant/latest_version.txt0.3 KBbundle/vuln_variant/ab_probe2.py1.7 KBbundle/vuln_variant/artifacts/vuln-noauth-rss.json0.1 KBbundle/vuln_variant/artifacts/vuln-login.json0.5 KBbundle/vuln_variant/artifacts/vuln-rss.json0.1 KBbundle/vuln_variant/artifacts/latest-noauth-rss.json0.1 KBbundle/vuln_variant/artifacts/latest-login.json0.5 KBbundle/vuln_variant/artifacts/latest-rss.json0.1 KBbundle/vuln_variant/artifacts/beta-noauth-rss.json0.1 KBbundle/vuln_variant/artifacts/beta-login.json0.5 KBbundle/vuln_variant/artifacts/beta-rss.json0.1 KBbundle/vuln_variant/artifacts/setup-status.json0.2 KBbundle/vuln_variant/artifacts/setup-complete.json0.3 KBbundle/vuln_variant/artifacts/setup-login.json0.5 KBbundle/vuln_variant/artifacts/setup-rss.json0.1 KBbundle/vuln_variant/artifacts/setup-oldlogin.json0.2 KBbundle/vuln_variant/runtime_manifest.json2.8 KBbundle/vuln_variant/patch_analysis.md6.7 KBbundle/vuln_variant/variant_manifest.json4.9 KBbundle/vuln_variant/validation_verdict.json4.9 KBbundle/vuln_variant/source_identity.json2.3 KBbundle/vuln_variant/root_cause_equivalence.json3.7 KBbundle/repro/reproduction_steps.sh14.9 KBbundle/repro/rca_report.md10.6 KBbundle/vuln_variant/reproduction_steps.sh19.4 KBbundle/vuln_variant/rca_report.md15.9 KB