Coverity Connect Vulnerability Notification

Understanding the issue

On January 26, 2026, Black Duck received a report from Cenobe through our responsible disclosure program of a potential security vulnerability in Coverity® Static Analysis. Our Incident Response and Engineering teams immediately launched a thorough investigation, which confirmed the existence of a logic issue in the authentication controls within the Coverity Connect component.

This vulnerability, designated CVE-2026-1496, potentially allows unauthorized users to bypass established authentication controls and assume the roles and privileges of authorized Coverity users. The vulnerability is rated 9.3 (Critical) under CVSSv4 due to its theoretical worst-case impact. However, the actual risk exposure depends significantly on each customer’s specific deployment configuration.

Importantly, our investigation confirmed that this vulnerability is limited exclusively to Coverity Connect. It does not affect Coverity on Black Duck Polaris™ Platform or any other Black Duck products. Additionally, we have verified that exploiting this vulnerability does not create potential access to the Black Duck network or customer data on Black Duck systems. To date, Black Duck has no evidence to indicate that this vulnerability is under active exploitation.

Our response and available solutions

Black Duck has moved swiftly to develop and deploy comprehensive mitigation measures for all affected customers. We understand that different organizations have different operational constraints, so we have created multiple mitigation pathways.

• Patches and full installers: We have released patches for all the vulnerable Coverity releases and full installers for versions 2025.12 - 2024.12. We strongly recommend installing the appropriate patch or full installer immediately.
• Alternative mitigation strategies: For organizations unable to install a patch or full installer immediately, we have provided detailed instructions for implementing web application firewall (WAF) rules or Tomcat configurations that effectively mitigate the vulnerability while you plan your upgrade path.
• Detection tools: We have developed a Python script that enables customers to analyze Coverity logs for potential indicators of compromise.

All patches, tools, documentation, and guidance can be found here.

Recommended actions

We recommend that all Coverity Connect customers take the following steps:

1. Install the appropriate patch or full installer for your version as soon as operationally feasible.
2. If immediate installation is not possible, implement the provided WAF rules or Tomcat configuration.
3. Review, invalidate, and reissue all authentication keys in your Coverity system as an additional security measure.
4. Run the provided Python script to check for indications of compromise.

Because Coverity is deployed on premises, any potential impact would be limited to data within your local Coverity instance. However, we strongly recommend ensuring that Coverity Connect is not made openly internet-accessible.

Moving forward

We recognize the trust placed in Black Duck to secure development environments, and we take that responsibility seriously. This notification reflects our policy of informing customers promptly, providing actionable mitigations, and maintaining open communication throughout the remediation process. For customers needing additional support, please work closely with your Black Duck account team or contact us at [email protected]. We will continue to keep you informed of any new developments.