Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-25660

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls.  This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.

Ver en NVD

Análisis

CodeChecker, an analyzer tool for Clang, is vulnerable to an authentication bypass in versions up to 6.27.3. By appending specific suffixes to the URL, an attacker can bypass authentication and assign arbitrary permissions to users within the system.

Severidad

Puntaje: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-290CWE-863

EPSS

Probabilidad de explotación (próx. 30 días): 0.0007 (0.1%)
Percentil: 21.1%
EPSS: 2026-05-06

Afecta

ericsson:codechecker

Descripción técnica

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls.  This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.

Publicada: 24/4/2026, 14:16:18
Última modificación: 27/4/2026, 14:48:20

Referencias

InicioEventosBlogRecursosEquipo