Authorization Flaw in Gerrit by Google Affects Code Submission Features
CVE-2026-2725

6MEDIUM

Key Information:

Vendor: Gerrit
Status: Gerrit
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-2725?

An improper authorization vulnerability exists in the 'submitted together' feature of Gerrit versions 2.12 and later. This flaw allows authenticated attackers with force push permissions on a secondary branch to circumvent the established code review processes. By exploiting this issue, an attacker can craft a submission that matches the 'topic' tag of an unapproved change, enabling them to force submit code directly to restricted branches without undergoing the necessary scrutiny. This could have significant implications for code integrity and project security.

Affected Version(s)

Gerrit 2.12; 0

References

https://issues.gerritcodereview.com/issues/486131256

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Feb 18, 2026

CVE-2026-2725 Data

JSON