CVE-2026-1496
Coverity CLI Authentication Bypass
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
| CWE | CWE-639 |
| Vendor | black duck |
| Product | coverity |
| Published | Mar 27, 2026 |
| Last Updated | Mar 27, 2026 |
Stay Ahead of the Next One
Get instant alerts for black duck coverity
Be the first to know when new unknown vulnerabilities affecting black duck coverity are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Black Duck / Coverity
2024.3.0 < 2025.12.0
References
community.blackduck.com: https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496 community.blackduck.com: https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect community.blackduck.com: https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance github.com: https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer
Credits
Huong Kieu from Cenobe