CVE-2026-1496

Sažetak

Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.

Reference

https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496
https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect
https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance
https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

27-03-2026 - 15:16

Objavljeno

27-03-2026 - 15:16