GHSA-4v9x-cqc5-j645
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4v9x-cqc5-j645
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-4v9x-cqc5-j645/GHSA-4v9x-cqc5-j645.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4v9x-cqc5-j645
- Aliases
-
- CVE-2026-25660
- Published
- 2026-05-05T17:58:09Z
- Modified
- 2026-05-05T18:18:42.296215Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P CVSS Calculator
- Summary
- Codechecker has an authentication bypass for certain API calls
- Details
-
Summary
Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permissions to any existing user in CodeChecker.
Details
The following functions are affected under the Authentication endpoint:
getAuthorisedNames,getPermissionsForUser,hasPermission,addPermission, andremovePermission.The vulnerability allows unauthenticated users to execute these function calls with arbitrary arguments. In the logs, the exploit shows as follows:
[INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@getAuthorisedNames [INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@addPermissionImpact
An attacker with a CodeChecker user can effectively acquire superuser permissions by calling these endpoints.
Patch
A patch is available at https://github.com/Ericsson/codechecker/releases/tag/v6.27.4.
- Database specific
{ "github_reviewed": true, "severity": "CRITICAL", "github_reviewed_at": "2026-05-05T17:58:09Z", "cwe_ids": [ "CWE-290", "CWE-863" ], "nvd_published_at": "2026-04-24T14:16:18Z" }- References
Affected packages
PyPI / codechecker
Package
- Name
- codechecker
- View open source insights on deps.dev
- Purl
- pkg:pypi/codechecker
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected6.27.3