← voltar
CVE-2026-1496

Coverity CLI Authentication Bypass

CVSS 9.3 CRITICALEPSS 0.5%CWE-639
Vexday Risk Score
28Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 9.3EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch referenciado
Ciclo de vida
27 mar 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Produtos afetados
Black Duck · Coverity

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connecthttps://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidancehttps://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer