CRITICALCVE-2026-1496Published Modified CNA BlackDuck
CVE-2026-1496: Coverity CLI Authentication Bypass
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- 2024.3.0A
- Affected Products
- 1
Fix available
2024.3.0A2024.3.1A2024.3.2A2024.6.0A2024.6.1A2024.9.0A2024.9.1A2024.12.0A2024.12.1A2024.12.22025.3.0A2025.3.1A2025.3.22025.6.0A2025.6.2A2025.6.42025.9.0A2025.9.2A2025.9.32025.12.02025.12.0A2025.12.1
Affected packages
- Black Duck / Coverity< 2025.12.0 (from 2024.3.0)Fixed in 2024.3.0A, 2024.3.1A, 2024.3.2A, 2024.6.0A, 2024.6.1A, 2024.9.0A, 2024.9.1A, 2024.12.0A, 2024.12.1A, 2024.12.2, 2025.3.0A, 2025.3.1A, 2025.3.2, 2025.6.0A, 2025.6.2A, 2025.6.4, 2025.9.0A, 2025.9.2A, 2025.9.3, 2025.12.0A, 2025.12.1
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N