CVE-2026-25660: CWE-290 Authentication bypass by spoofing in Ericsson CodeChecker
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2026-25660 affects Ericsson CodeChecker, a static analysis tooling and defect database viewer. It is an authentication bypass caused by URL manipulation where appending 'Authentication' with specific function calls bypasses normal authentication checks. This allows attackers to assign arbitrary permissions to any user in the system, effectively escalating privileges without authentication. The issue affects CodeChecker versions through 6.27.3. The CVSS 4.0 base score is 9.3, reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No official remediation or patch has been published by Ericsson as of the data provided.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to bypass authentication controls and assign arbitrary permissions to any existing user in CodeChecker. This can lead to unauthorized access and privilege escalation within the affected system, potentially compromising the confidentiality, integrity, and availability of the CodeChecker environment. Given the critical CVSS score, the impact is severe. However, there are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider restricting access to CodeChecker instances to trusted users and networks only. Monitor for unusual permission changes or access patterns related to CodeChecker. Avoid exposing CodeChecker interfaces to untrusted networks. Follow Ericsson's official communications for updates on patches or mitigations.
CVE-2026-25660: CWE-290 Authentication bypass by spoofing in Ericsson CodeChecker
Description
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permission to any user existing in CodeChecker. This issue affects CodeChecker: through 6.27.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2026-25660 affects Ericsson CodeChecker, a static analysis tooling and defect database viewer. It is an authentication bypass caused by URL manipulation where appending 'Authentication' with specific function calls bypasses normal authentication checks. This allows attackers to assign arbitrary permissions to any user in the system, effectively escalating privileges without authentication. The issue affects CodeChecker versions through 6.27.3. The CVSS 4.0 base score is 9.3, reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No official remediation or patch has been published by Ericsson as of the data provided.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to bypass authentication controls and assign arbitrary permissions to any existing user in CodeChecker. This can lead to unauthorized access and privilege escalation within the affected system, potentially compromising the confidentiality, integrity, and availability of the CodeChecker environment. Given the critical CVSS score, the impact is severe. However, there are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider restricting access to CodeChecker instances to trusted users and networks only. Monitor for unusual permission changes or access patterns related to CodeChecker. Avoid exposing CodeChecker interfaces to untrusted networks. Follow Ericsson's official communications for updates on patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ERIC
- Date Reserved
- 2026-02-04T12:41:54.869Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eb754a87115cfb6838d4fe
Added to database: 4/24/2026, 1:51:06 PM
Last enriched: 4/24/2026, 2:06:13 PM
Last updated: 4/24/2026, 4:09:30 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.