Skip to main content

Coverity CVE-2026-1496

| EUVDEUVD-2026-16595 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-27 BlackDuck GHSA-gc4h-xc67-2w55
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:48 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2025.12.0
EUVD ID Assigned
Mar 27, 2026 - 14:30 euvd
EUVD-2026-16595
Analysis Generated
Mar 27, 2026 - 14:30 vuln.today
CVE Published
Mar 27, 2026 - 14:14 nvd
CRITICAL 9.3

DescriptionCVE.org

Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.

AnalysisAI

Coverity Connect command-line tooling authentication bypass via /token API endpoint allows remote attackers to assume valid user credentials and privileges without proper authentication when a username is known or guessed. The vulnerability stems from missing error handling in authentication logic, enabling attackers to craft specialized HTTP requests that circumvent normal access controls and grant full role-based privileges of the compromised account. No public exploit code or active exploitation has been confirmed at this time.

Technical ContextAI

The vulnerability resides in Black Duck Coverity's (cpe:2.3:a:black_duck:coverity) REST API /token endpoint, which handles authentication for command-line interface tooling. The root cause is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that missing error handling in the authentication validation logic fails to properly reject malformed or unauthorized token requests. When authentication logic lacks proper exception handling, attackers can exploit unexpected code paths to bypass credential verification. The /token endpoint is exposed to network clients and does not enforce sufficient validation before granting session tokens that carry the full permission set of an impersonated user account.

RemediationAI

Immediately upgrade Coverity Connect to a patched version as specified in the Black Duck Security Advisory (https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496). If immediate patching is not feasible, deploy network-level mitigations: block direct access to the /token API endpoint using a Web Application Firewall (WAF), Network Intrusion Detection/Prevention System (IDS/IPS), or reverse proxy as detailed in https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect and https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance. Restrict network access to the Coverity Connect instance to trusted internal networks only, disable external API exposure where possible, and monitor authentication logs for suspicious token requests using known usernames.

Share

CVE-2026-1496 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy