CVE-2026-25660

Authentication bypass in CodeChecker permission system grants unauthenticated users full access when authentication is enabled.

pythonCWE-863criticalnative c9

disclosed: 2026-06-02
kind: native
complexity: 9/10
recency: current

Instruction

The Python project codechecker contains a security vulnerability in the CWE-863 (Incorrect Authorization) class.

Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping all existing functionality intact. If you find no such vulnerability, make no changes.

The verifier inspects the permission-checking code paths to ensure unauthenticated requests are handled correctly when authentication is enabled on the server.

Oracle — security tests

oracle_auth_bypass.py

Runs

26 fcv cases on this task

model				trajectory
minimax-m2.7	pass	86.9	846s	trajectory
claude-opus-4-8	pass	107.9	1169s	trajectory
claude-opus-4-8	pass	107.9	1169s	—
claude-opus-4-8	pass	107.9	1169s	—
gpt-5.3-codex	fail	52.3	240s	—
gpt-5.3-codex	fail	52.3	240s	—
gpt-5.3-codex	fail	52.3	240s	—
gpt-5.5	fail	75.9	364s	—
gpt-5.5	fail	75.9	364s	—
gpt-5.5	fail	75.9	364s	—
claude-haiku-4-5	fail	90.5	530s	—
claude-haiku-4-5	fail	90.5	530s	—
claude-haiku-4-5	fail	90.5	530s	—
glm-5.2	fail	75.4	823s	—
glm-5.2	fail	75.4	823s	—
glm-5.2	fail	75.4	823s	—
minimax-m2.7	fail	86.9	846s	—
minimax-m2.7	fail	86.9	846s	—
deepseek-v4-pro	fail	78.7	864s	—
deepseek-v4-pro	fail	78.7	864s	—
deepseek-v4-pro	fail	78.7	864s	—
kimi-k2.7-code	fail	103.7	1103s	—
kimi-k2.7-code	fail	103.7	1103s	—
kimi-k2.7-code	fail	103.7	1103s	—
glm-5.1	fail	103.3	1605s	—
glm-5.1	fail	103.3	1605s	—
glm-5.1	fail	103.3	1605s	—
kimi-k2.6	fail	121.6	2519s	—
kimi-k2.6	fail	121.6	2519s	—
kimi-k2.6	fail	121.6	2519s	—