Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-25660: CodeChecker: Unauthorized Access to User Permissions
CVE-2026-25660
GHSA-4v9x-cqc5-j645
GHSA-4v9x-cqc5-j645
Summary
CodeChecker, a tool used to analyze code, allows an attacker to gain access to any user's permissions by crafting a specific URL. This could allow an attacker to view or modify sensitive information. Update to the latest version of CodeChecker to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| – | ericsson | codechecker |
< 6.27.4 cpe:2.3:a:ericsson:codechecker:*:*:*:*:*:*:*:* |
| pip | – | codechecker | <= 6.27.3 |
Original title
Codechecker has an authentication bypass for certain API calls
Original description
### Summary
Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permissions to any existing user in CodeChecker.
### Details
The following functions are affected under the Authentication endpoint: `getAuthorisedNames`, `getPermissionsForUser`, `hasPermission`, `addPermission`, and `removePermission`.
The vulnerability allows unauthenticated users to execute these function calls with arbitrary arguments.
In the logs, the exploit shows as follows:
```
[INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@getAuthorisedNames
[INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@addPermission
```
### Impact
An attacker with a CodeChecker user can effectively acquire superuser permissions by calling these endpoints.
### Patch
A patch is available at https://github.com/Ericsson/codechecker/releases/tag/v6.27.4.
Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permissions to any existing user in CodeChecker.
### Details
The following functions are affected under the Authentication endpoint: `getAuthorisedNames`, `getPermissionsForUser`, `hasPermission`, `addPermission`, and `removePermission`.
The vulnerability allows unauthenticated users to execute these function calls with arbitrary arguments.
In the logs, the exploit shows as follows:
```
[INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@getAuthorisedNames
[INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@addPermission
```
### Impact
An attacker with a CodeChecker user can effectively acquire superuser permissions by calling these endpoints.
### Patch
A patch is available at https://github.com/Ericsson/codechecker/releases/tag/v6.27.4.
nvd CVSS4.0
9.3
Vulnerability type
CWE-290
CWE-863
Incorrect Authorization
Published: 5 May 2026 · Updated: 28 May 2026 · First seen: 24 Apr 2026