CVE-2026-1496 PUBLISHED

Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either knows or guesses a valid username, can use this in a specially crafted HTTP request to bypass authentication. Successful exploitation allows the malicious actor to assume all roles and privileges granted to the valid user’s Coverity Connect account.

Customers are recommended to upgrade to one of the following Coverity patched versions at their earliest availability or deploy documented mitigations.

Patched versions:

• 2025.12.1

• 2025.12.0A

• 2025.9.2A
• 2025.9.0A
• 2025.6.2A
• 2025.6.0A
• 2025.3.1A
• 2025.3.0A
• 2024.12.1A
• 2024.12.0A
• 2024.9.1A
• 2024.9.0A

Full Installers:

• 2025.12.1
• 2025.9.3
• 2025.6.4
• 2025.3.2
• 2024.12.2

• Huong Kieu from Cenobe finder

• https://community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496
• https://community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-for-Coverity-Connect
• https://community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance
• https://github.com/blackduck-inc/Coverity-Usage-Log-Analyzer

• CWE-639 Authorization bypass through User-Controlled key CWE

• CAPEC-384 Application API Message Manipulation via Man-in-the-Middle