CVE-2026-25660
Published: 24 April 2026
Summary
CVE-2026-25660 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Ericsson Codechecker. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses and patches the specific authentication bypass vulnerability in CodeChecker, preventing exploitation.
Access enforcement mechanisms ensure logical access policies are applied, mitigating the improper bypass that allows unauthorized permission assignments.
Robust identification and authentication for organizational users prevents authentication bypass vulnerabilities like the URL-based flaw in CodeChecker.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated auth bypass on public-facing CodeChecker web app directly enables T1190; ability to assign arbitrary/elevated permissions to existing users directly enables T1098 Account Manipulation.
NVD Description
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user…
more
existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.
Deeper analysisAI
CVE-2026-25660 is an authentication bypass vulnerability in CodeChecker, an analyzer tooling, defect database, and viewer extension for the Clang Static Analyzer and Clang Tidy. The issue arises when a URL ends with "Authentication" combined with certain function calls, enabling attackers to bypass authentication and assign arbitrary permissions to any existing user in CodeChecker. It affects all versions of CodeChecker through 6.27.3 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), with associated CWEs of CWE-290 (Authentication Bypass) and CWE-863 (Incorrect Authorization).
The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges or user interaction required. Successful exploitation allows attackers to grant elevated permissions to arbitrary existing users, potentially leading to full compromise of the CodeChecker instance, including high-impact confidentiality, integrity, and availability violations such as data access, modification, or denial of service.
The GitHub Security Advisory at https://github.com/Ericsson/codechecker/security/advisories/GHSA-4v9x-cqc5-j645 provides further details on the vulnerability, including recommended mitigations and patches. Security practitioners should consult this advisory for version-specific remediation steps.
Details
- CWE(s)