CVE-2026-1496

Coverity CLI Authentication Bypass

CVSS 9.3 CRITICALEPSS 0.5%CWE-639

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.3EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

27 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

Black Duck · Coverity

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496 https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer