Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
AnalysisAI
Coverity Connect command-line tooling authentication bypass via /token API endpoint allows remote attackers to assume valid user credentials and privileges without proper authentication when a username is known or guessed. The vulnerability stems from missing error handling in authentication logic, enabling attackers to craft specialized HTTP requests that circumvent normal access controls and grant full role-based privileges of the compromised account. No public exploit code or active exploitation has been confirmed at this time.
Technical ContextAI
The vulnerability resides in Black Duck Coverity's (cpe:2.3:a:black_duck:coverity) REST API /token endpoint, which handles authentication for command-line interface tooling. The root cause is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that missing error handling in the authentication validation logic fails to properly reject malformed or unauthorized token requests. When authentication logic lacks proper exception handling, attackers can exploit unexpected code paths to bypass credential verification. The /token endpoint is exposed to network clients and does not enforce sufficient validation before granting session tokens that carry the full permission set of an impersonated user account.
RemediationAI
Immediately upgrade Coverity Connect to a patched version as specified in the Black Duck Security Advisory (https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496). If immediate patching is not feasible, deploy network-level mitigations: block direct access to the /token API endpoint using a Web Application Firewall (WAF), Network Intrusion Detection/Prevention System (IDS/IPS), or reverse proxy as detailed in https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect and https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance. Restrict network access to the Coverity Connect instance to trusted internal networks only, disable external API exposure where possible, and monitor authentication logs for suspicious token requests using known usernames.
A cross-site request forgery (CSRF) vulnerability in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers to conn
A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission t
A plaintext storage of a password vulnerability exists in Jenkins Coverity Plugin 1.10.0 and earlier in CIMInstance.java
Versions of Coverity Connect prior to 2022.12.0 are vulnerable to an unauthenticated Cross-Site Scripting vulnerability.
Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthor
A missing permission check in Jenkins Coverity Plugin 1.11.4 and earlier allows attackers with Overall/Read permission t
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16595
GHSA-gc4h-xc67-2w55