PT-2026-53409 · Pypi · Codechecker

Published

2026-06-29

·

Updated

2026-06-29

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

Summary

Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permissions to any existing user in CodeChecker.

Details

The following functions are affected under the Authentication endpoint: getAuthorisedNames, getPermissionsForUser, hasPermission, addPermission, and removePermission.
The vulnerability allows unauthenticated users to execute these function calls with arbitrary arguments. In the logs, the exploit shows as follows:
[INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@getAuthorisedNames
[INFO 2026-04-23 21:23] - 127.0.0.1:42654 -- [Anonymous] POST /v6.67/Authentication@addPermission

Impact

An attacker with a CodeChecker user can effectively acquire superuser permissions by calling these endpoints.

Patch

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-317

Affected Products

Codechecker