The vulnerability is caused by the absence of an error handler in Coverity Connect's authentication logic for its command‑line tools. A malicious actor who can reach the /token API endpoint and knows or can guess a valid username can send a specially crafted HTTP request that bypasses authentication. Once authenticated, the attacker gains all roles and privileges assigned to the targeted user, allowing full access to the Coverity Connect environment. This is a high‑severity authentication bypass that could lead to unauthorized data exposure and critical changes to the code analysis repository.

Affected releases are all Coverity Connect versions that are listed as vulnerable: 2024.12.0a, 2024.12.1a, 2024.12.2, 2024.3.0a‑3.2, 2024.6.0a‑6.1a, 2024.9.0a‑9.1a, 2025.0a‑? (specifically 2025.12.0a, 12.1, 3.0a‑3.2, 6.0a‑6.4, 9.0a‑9.3), and 2025.12.1 is a patched release along with 2025.9.3, 6.4, 3.2. Any deployment prior to these patched versions is susceptible.

With a CVSS score of 9.3 the vulnerability carries a critical risk. Although EPSS is not reported, the attack surface—access to the /token endpoint and knowledge of a username—is generally available to external actors who can communicate with the Coverity server. The exploit requires no privileged local access and can be executed remotely, making it a straightforward privilege escalation attack. The absence of a formal KEV listing does not lessen the potential impact; security teams should treat the vulnerability as an imminent threat.