CVE-2026-1496

CRITICAL

Coverity CLI Authentication Bypass

Title source: cna

Description

Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.

References (4)

[Vendor Advisory] https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496

[Vendor Advisory] https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect

[Vendor Advisory] https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance

View Writeup ZIP pw:eip

Scores

CVSS v4 9.3

EPSS 0.0016

EPSS Percentile 37.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-639

Status published

Products (22)

Black Duck/Coverity 2024.12.0A

Black Duck/Coverity 2024.12.1A

Black Duck/Coverity 2024.12.2

Black Duck/Coverity 2024.3.0 - 2025.12.0

Black Duck/Coverity 2024.3.0A

Black Duck/Coverity 2024.3.1A

Black Duck/Coverity 2024.3.2A

Black Duck/Coverity 2024.6.0A

Black Duck/Coverity 2024.6.1A

Black Duck/Coverity 2024.9.0A

... and 12 more

Published Mar 27, 2026

Tracked Since Mar 29, 2026