Vulnerability Description
Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the "topic" tag of an unapproved change.
Related Weaknesses (CWE)
References
- https://issues.gerritcodereview.com/issues/486131256
- https://issues.gerritcodereview.com/issues/486131256
FAQ
What is CVE-2026-2725?
CVE-2026-2725 is a documented vulnerability. Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review a...
How severe is CVE-2026-2725?
CVSS scoring is not yet available for CVE-2026-2725. Check NVD for updates.
Is there a patch for CVE-2026-2725?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.