Home

Description

Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.

PUBLISHED Reserved 2026-01-27 | Published 2026-03-27 | Updated 2026-03-27 | Assigner BlackDuck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization bypass through User-Controlled key

Product status

Default status
unaffected

2024.3.0 (custom) before 2025.12.0
affected

2024.3.0A
unaffected

2024.3.1A
unaffected

2024.3.2A
unaffected

2024.6.0A
unaffected

2024.6.1A
unaffected

2024.9.0A
unaffected

2024.9.1A
unaffected

2024.12.0A
unaffected

2024.12.1A
unaffected

2024.12.2
unaffected

2025.3.0A
unaffected

2025.3.1A
unaffected

2025.3.2
unaffected

2025.6.0A
unaffected

2025.6.2A
unaffected

2025.6.4
unaffected

2025.9.0A
unaffected

2025.9.2A
unaffected

2025.9.3
unaffected

2025.12.0A
unaffected

2025.12.1
unaffected

Credits

Huong Kieu from Cenobe finder

References

community.blackduck.com/...k-Security-Advisory-CVE-2026-1496 vendor-advisory

community.blackduck.com/...ken-endpoint-for-Coverity-Connect vendor-advisory mitigation

community.blackduck.com/...e/WAF-IDS-IPS-Mitigation-Guidance vendor-advisory mitigation

github.com/blackduck-inc/Coverity-Usage-Log-Analyzer related

cve.org (CVE-2026-1496)

nvd.nist.gov (CVE-2026-1496)

Download JSON