Auth bypass in Black Duck Coverity

CVE-2026-1496

Vulnerable versions of Coverity Connect lack an error handler in the authentication logic for command line tooling that makes it vulnerable to an authentication bypass. A malicious actor with access to the /token API endpoint that either k…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.001 (26.5th percentile) — read the EPSS interpretation.

Affected products

Black Duck Coverity — versions 2024.3.0, 2024.3.0A, 2024.3.1A

Weakness classification (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key

References

community.blackduck.com/s/article/Black-Duck-Security-Advisory-CVE-2026-1496 (vendor-advisory)
community.blackduck.com/s/article/Instructions-on-how-to-block-token-endpoint-f… (vendor-advisory, mitigation)
community.blackduck.com/s/article/WAF-IDS-IPS-Mitigation-Guidance (vendor-advisory, mitigation)
github.com/blackduck-inc/Coverity-Usage-Log-Analyzer (related)