CVE-2026-25660: CWE-290 Authentication bypass by spoofing in Ericsson CodeChecker
CVE-2026-25660 is a critical authentication bypass vulnerability in Ericsson's CodeChecker tool, affecting versions through 6. 27. 3. The flaw allows an attacker to bypass authentication by manipulating the URL ending with 'Authentication' combined with certain function calls, enabling assignment of arbitrary permissions to any existing user. This vulnerability has a high CVSS 4. 0 score of 9. 3, indicating severe impact. No official patch or remediation guidance has been provided yet. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
CodeChecker, an analyzer tooling and defect database extension for Clang Static Analyzer and Clang Tidy, suffers from an authentication bypass vulnerability (CWE-290) identified as CVE-2026-25660. The bypass occurs when the URL ends with 'Authentication' and certain function calls are made, allowing attackers to assign arbitrary permissions to any user in the system. This issue affects CodeChecker versions through 6.27.3. The vulnerability is critical with a CVSS 4.0 score of 9.3, reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No official patch or remediation level has been disclosed by Ericsson, and the product is not a cloud service.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to bypass authentication controls and assign arbitrary permissions to any existing user in CodeChecker. This can lead to unauthorized access and potential privilege escalation within the affected system. The high CVSS score reflects significant risk to confidentiality, integrity, and availability of the affected product. There are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to CodeChecker instances to trusted users and networks only. Monitor for unusual permission changes or access patterns. Avoid exposing CodeChecker interfaces to untrusted networks.
CVE-2026-25660: CWE-290 Authentication bypass by spoofing in Ericsson CodeChecker
Description
CVE-2026-25660 is a critical authentication bypass vulnerability in Ericsson's CodeChecker tool, affecting versions through 6. 27. 3. The flaw allows an attacker to bypass authentication by manipulating the URL ending with 'Authentication' combined with certain function calls, enabling assignment of arbitrary permissions to any existing user. This vulnerability has a high CVSS 4. 0 score of 9. 3, indicating severe impact. No official patch or remediation guidance has been provided yet. There are no known exploits in the wild at this time.
CVSS v4.0
Score 9.3critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CodeChecker, an analyzer tooling and defect database extension for Clang Static Analyzer and Clang Tidy, suffers from an authentication bypass vulnerability (CWE-290) identified as CVE-2026-25660. The bypass occurs when the URL ends with 'Authentication' and certain function calls are made, allowing attackers to assign arbitrary permissions to any user in the system. This issue affects CodeChecker versions through 6.27.3. The vulnerability is critical with a CVSS 4.0 score of 9.3, reflecting network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No official patch or remediation level has been disclosed by Ericsson, and the product is not a cloud service.
Potential Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to bypass authentication controls and assign arbitrary permissions to any existing user in CodeChecker. This can lead to unauthorized access and potential privilege escalation within the affected system. The high CVSS score reflects significant risk to confidentiality, integrity, and availability of the affected product. There are no known exploits in the wild currently.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to CodeChecker instances to trusted users and networks only. Monitor for unusual permission changes or access patterns. Avoid exposing CodeChecker interfaces to untrusted networks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ERIC
- Date Reserved
- 2026-02-04T12:41:54.869Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69eb754a87115cfb6838d4fe
Added to database: 4/24/2026, 1:51:06 PM
Last enriched: 5/1/2026, 8:47:38 PM
Last updated: 6/8/2026, 12:53:56 PM
Views: 112
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.