CVE-2026-1496
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Black Duck | Coverity | 2024.3.0 < 2025.12.0 | affected |
| Black Duck | Coverity | 2024.3.0A | unaffected |
| Black Duck | Coverity | 2024.3.1A | unaffected |
| Black Duck | Coverity | 2024.3.2A | unaffected |
| Black Duck | Coverity | 2024.6.0A | unaffected |
| Black Duck | Coverity | 2024.6.1A | unaffected |
| Black Duck | Coverity | 2024.9.0A | unaffected |
| Black Duck | Coverity | 2024.9.1A | unaffected |
| Black Duck | Coverity | 2024.12.0A | unaffected |
| Black Duck | Coverity | 2024.12.1A | unaffected |
| Black Duck | Coverity | 2024.12.2 | unaffected |
| Black Duck | Coverity | 2025.3.0A | unaffected |
| Black Duck | Coverity | 2025.3.1A | unaffected |
| Black Duck | Coverity | 2025.3.2 | unaffected |
| Black Duck | Coverity | 2025.6.0A | unaffected |
| Black Duck | Coverity | 2025.6.2A | unaffected |
| Black Duck | Coverity | 2025.6.4 | unaffected |
| Black Duck | Coverity | 2025.9.0A | unaffected |
| Black Duck | Coverity | 2025.9.2A | unaffected |
| Black Duck | Coverity | 2025.9.3 | unaffected |
| Black Duck | Coverity | 2025.12.0A | unaffected |
| Black Duck | Coverity | 2025.12.1 | unaffected |
Weaknesses
- CWE-639: CWE-639 Authorization bypass through User-Controlled key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496
- https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect
- https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance
- https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.