CVE-2026-25660

Source
https://cve.org/CVERecord?id=CVE-2026-25660
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25660.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25660
Aliases
Published
2026-04-24T13:10:26.171Z
Modified
2026-07-08T08:12:26.531768153Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:U/V:C/RE:M/U:Red CVSS Calculator
Summary
Authentication bypass for certain API calls
Details

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls.  This bypass allows assigning arbitrary permission to any user existing in CodeChecker.

This issue affects CodeChecker: through 6.27.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25660.json",
    "cna_assigner": "ERIC",
    "cwe_ids": [
        "CWE-290",
        "CWE-863"
    ]
}
References

Affected packages

Git / github.com/ericsson/codechecker

Affected ranges

Type
GIT
Repo
https://github.com/ericsson/codechecker
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:ericsson:codechecker:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.27.3"
        },
        {
            "fixed": "6.27.4"
        }
    ]
}

Affected versions

v4.*
v4.0
v5.*
v5.0
v5.1
v5.10
v5.2
v5.3
v5.4
v5.5
v5.6
v5.7
v5.7.1
v5.8
v5.9
v6.*
v6.0
v6.0.1
v6.1
v6.1.1
v6.10.0
v6.12.0
v6.13.0
v6.14.0
v6.15.0
v6.16.0
v6.17.0
v6.18.0
v6.19.0
v6.2
v6.2.1
v6.20.0
v6.21.0
v6.22.0
v6.23.0
v6.23.0-rc1
v6.24.0
v6.25.0
v6.26.0
v6.27.0
v6.27.1
v6.27.2
v6.27.3
v6.3
v6.4
v6.5
v6.5.1
v6.6.0
v6.7.0
v6.7.1
v6.8.0
v6.8.1
v6.9.0
v6.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25660.json"