PYSEC-2026-317

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/codechecker/PYSEC-2026-317.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-317
Aliases
Published
2026-06-29T11:50:50.050635Z
Modified
2026-07-01T20:22:50.508956Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P CVSS Calculator
Summary
Codechecker has an authentication bypass for certain API calls
Details

Summary

Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permissions to any existing user in CodeChecker.

Details

The following functions are affected under the Authentication endpoint: getAuthorisedNames, getPermissionsForUser, hasPermission, addPermission, and removePermission.

The vulnerability allows unauthenticated users to execute these function calls with arbitrary arguments. In the logs, the exploit shows as follows:

[INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@getAuthorisedNames
[INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@addPermission

Impact

An attacker with a CodeChecker user can effectively acquire superuser permissions by calling these endpoints.

Patch

A patch is available at https://github.com/Ericsson/codechecker/releases/tag/v6.27.4.

References

Affected packages

PyPI / codechecker

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
6.27.3

Affected versions

6.*
6.16.0a1
6.16.0
6.17.0
6.18.0
6.18.1
6.18.2
6.19.0
6.19.1
6.20.0rc1
6.20.0
6.21.0rc1
6.21.0
6.22.0rc1
6.22.0
6.22.1
6.22.2
6.22.2.post1
6.23.0rc2
6.23.0
6.23.1
6.24.0
6.24.1
6.24.2
6.24.4
6.25.0
6.25.1
6.26.0
6.26.1
6.26.2
6.27.1
6.27.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/codechecker/PYSEC-2026-317.yaml"