Description
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.
Authentication bypass occurs when the URL ends with Authentication with certain function calls.  This bypass allows assigning arbitrary permission to any user existing in CodeChecker.

This issue affects CodeChecker: through 6.27.3.
Published: 2026-04-24
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Authentication bypass occurs when a specific API endpoint URL ends with "Authentication" and allows an attacker to assign arbitrary permissions to any user in CodeChecker. This flaw represents improper authentication (CWE‑290) and the incorrect assignment of capabilities to the wrong principal (CWE‑863). The impact is a full privilege escalation within the CodeChecker environment, giving the attacker administrative or elevated rights over the defect database and potentially exposing internal defects or configuration data.

Affected Systems

The affected vendor is Ericsson and the product is CodeChecker. All installations up to version 6.27.3 are vulnerable. Assets running this version or earlier are at risk if the authentication bypass remains unpatched.

Risk and Exploitability

The CVSS score of 9.3 classifies this as a critical vulnerability. The EPSS score of <1% indicates that as of the last assessment the probability of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, the likely attack vector is remote access to the exposed HTTP API endpoints, which an attacker can leverage from any network location that has API connectivity. The attack does not require elevated privileges beyond a regular user, enabling widespread use if the system is exposed.

Generated by OpenCVE AI on April 28, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available CodeChecker release that addresses the authentication bypass, which covers all versions through 6.27.3.
  • Review and revoke any permissions that may have been incorrectly granted to users, resetting accounts to the least privilege required for their role.
  • Restrict direct API access to the Authentication endpoints or implement additional access controls (e.g., IP whitelisting or multi‑factor authentication) until the patch is applied to mitigate the ability to exploit the bypass.

Generated by OpenCVE AI on April 28, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4v9x-cqc5-j645 Codechecker has an authentication bypass for certain API calls
History

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ericsson
Ericsson codechecker
CPEs cpe:2.3:a:ericsson:codechecker:*:*:*:*:*:*:*:*
Vendors & Products Ericsson
Ericsson codechecker
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls.  This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.
Title Authentication bypass for certain API calls
Weaknesses CWE-290
CWE-863
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:Y/R:U/V:C/RE:M/U:Red'}

Subscriptions

Ericsson Codechecker
cve-icon MITRE

Status: PUBLISHED

Assigner: ERIC

Published:

Updated: 2026-04-24T13:51:11.174Z

Reserved: 2026-02-04T12:41:54.869Z

Link: CVE-2026-25660

cve-icon Vulnrichment

Updated: 2026-04-24T13:51:03.368Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T14:16:18.127

Modified: 2026-04-27T14:48:20.843

Link: CVE-2026-25660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:00:09Z

Weaknesses