Which versions of CodeChecker are affected by CVE-2026-25660?

CodeChecker versions through 6.27.3 contain a critical authentication bypass vulnerability (CVSS 9.3) that allows unauthenticated remote attackers to grant arbitrary permissions to any user,…

How to fix or mitigate CVE-2026-25660?

Within 24 hours: Immediately isolate CodeChecker instances from external network access and audit all user permission grants for unauthorized changes. Within 7 days: Implement network segmentation restricting CodeChecker access to authorized development teams only; conduct forensic review of access logs since deployment. Within 30 days: Monitor vendor CodeChecker repository for patch release to version 6.27.4 or later; evaluate alternative static analysis platforms without this vulnerability as contingency if patch timeline extends beyond 60 days.

CodeChecker CVE-2026-25660

Q: What is the CVSS score of CVE-2026-25660?

CVE-2026-25660 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Red. EPSS exploitation probability: 0.1%.

EUVD-2026-25417 CRITICAL

Authentication Bypass by Spoofing (CWE-290)

2026-04-24 ERIC

GHSA-4v9x-cqc5-j645

Authentication Bypass Codechecker

9.3

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

9.3 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Red

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Red

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 27, 2026 - 14:52 vuln.today

cvss_changed

Analysis Generated

Apr 24, 2026 - 16:30 vuln.today

CVSS changed

Apr 24, 2026 - 14:22 NVD

9.3 (CRITICAL)

EUVD ID Assigned

Apr 24, 2026 - 14:00 euvd

EUVD-2026-25417

Analysis Generated

Apr 24, 2026 - 14:00 vuln.today

CVE Published

Apr 24, 2026 - 13:10 nvd

CRITICAL 9.3

DescriptionCVE.org

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user existing in CodeChecker.

This issue affects CodeChecker: through 6.27.3.

AnalysisAI

Authentication bypass in CodeChecker allows remote unauthenticated attackers to assign arbitrary permissions to any user through specially crafted URLs. All versions through 6.27.3 are affected, exposing static analysis infrastructure to complete compromise. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access CodeChecker web service

Delivery

Craft URL with authentication bypass pattern

Exploit

Submit permission assignment request

Execution

Elevate arbitrary user to admin role

Persist

Access sensitive analysis data

Impact

Establish persistent backdoor accounts