# CVE-2026-46716 Lab Setup Guide

---

## Prerequisites

| Tool | Install |
|------|---------|
| Docker Desktop | https://www.docker.com/ |
| nuclei | `brew install nuclei` |
| curl, python3 | pre-installed on macOS |

**Ports required:** 8008 (vulnerable: v1.14.14), 8009 (patched: built from commit d7526351cf97)

---

## Quick Start

```bash
# Step 1: Start lab environment
bash scripts/01-setup.sh

# Step 2: Trigger CVE manually (demonstrates API bypass + version check)
bash scripts/03-trigger-cve.sh

# Step 3: Run nuclei detection (vulnerable) — admin credentials required
nuclei -duc -u http://localhost:8008 \
  -t nuclei/CVE-2026-46716.yaml \
  -var username=admin -var password=admin

# Step 4: Run nuclei detection (patched — should show 0 findings)
nuclei -duc -u http://localhost:8009 \
  -t nuclei/CVE-2026-46716.yaml \
  -var username=admin -var password=admin

# Step 5: Teardown
bash scripts/99-teardown.sh
```

---

## Expected Results

### scripts/03-trigger-cve.sh

Both versions accept the member cron creation request (HTTP 200). The patch fixes execution
behavior inside CronTrigger, not the API-level access control. Version determines exploitability.

```
--- Vulnerable v1.14.14 (http://localhost:8008) ---
  HTTP 200 — Cron created (id: 1)
  ✓ CheckPermission: servers=[] — no ownership validation performed, request accepted
  Version: 1.14.14
  ⚠  RESULT: CronTrigger delivery bypass PRESENT — VULNERABLE

--- Patched (commit d7526351cf97) (http://localhost:8009) ---
  HTTP 200 — Cron created (id: 1)
  ✓ CheckPermission: servers=[] — no ownership validation performed, request accepted
  Version: debug
  ✓  RESULT: CronTrigger delivery bypass patched (version: debug)
```

### nuclei (vulnerable, v1.14.14)

```
[CVE-2026-46716] [http] [critical] http://localhost:8008
[INF] Scan completed ... 1 matches found.
```

### nuclei (patched)

```
[INF] Scan completed ... 0 matches found.
```

---

## Detection Design Note

The nuclei template uses **version-based detection** rather than HTTP response behavior,
because both versions return HTTP 200 for member cron creation with `servers:[], cover:1`.
Admin credentials are required because `GET /api/v1/setting` only returns the `version`
field for RoleAdmin users.

---

## Manual Member Account Creation

If the setup script cannot create the member account via API:

1. Open `http://localhost:8008` in a browser
2. Login with `admin` / `admin`
3. Navigate to **Settings → Users → Add User**
4. Set: Username `member`, Password `Memberpass123!`, Role `Member`

---

## Troubleshooting

| Error | Cause | Fix |
|-------|-------|-----|
| `pull access denied` for Docker image | Tag not available in GHCR | Check available tags: `docker search ghcr.io/nezhahq/nezha` |
| Login returns 401 | admin password changed | Reset: `docker compose down -v && rm -rf data/ && docker compose up -d` |
| User creation API 404 | API path differs by version | Create member account manually via UI |
| nuclei: 0 matches on vulnerable | Using member creds (version hidden) | Use admin credentials: `-var username=admin -var password=admin` |

---