CVE-2026-1496

Description

Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

High

Integrity (Vulnerable System)

High

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

Black Duck / Coverity2024.3.0 – 2025.12.0
Black Duck / Coverity2024.3.0A – 2024.3.0A
Black Duck / Coverity2024.3.1A – 2024.3.1A
Black Duck / Coverity2024.3.2A – 2024.3.2A
Black Duck / Coverity2024.6.0A – 2024.6.0A
Black Duck / Coverity2024.6.1A – 2024.6.1A
Black Duck / Coverity2024.9.0A – 2024.9.0A
Black Duck / Coverity2024.9.1A – 2024.9.1A
Black Duck / Coverity2024.12.0A – 2024.12.0A
Black Duck / Coverity2024.12.1A – 2024.12.1A
Black Duck / Coverity2024.12.2 – 2024.12.2
Black Duck / Coverity2025.3.0A – 2025.3.0A
Black Duck / Coverity2025.3.1A – 2025.3.1A
Black Duck / Coverity2025.3.2 – 2025.3.2
Black Duck / Coverity2025.6.0A – 2025.6.0A
Black Duck / Coverity2025.6.2A – 2025.6.2A
Black Duck / Coverity2025.6.4 – 2025.6.4
Black Duck / Coverity2025.9.0A – 2025.9.0A
Black Duck / Coverity2025.9.2A – 2025.9.2A
Black Duck / Coverity2025.9.3 – 2025.9.3
Black Duck / Coverity2025.12.0A – 2025.12.0A
Black Duck / Coverity2025.12.1 – 2025.12.1

Description

CVSS breakdown

Affected products

References