← Back
2026-05-13 5:32CVE-2026-2725Google
PUBLISHED5.2CWE-863

Improper Authorization in Gerrit allowing Code Review Bypass via "Submitted Together"

Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the "topic" tag of an unapproved change.

Problem type

Affected products

Gerrit

Gerrit

2.12; 0 - AFFECTED

References

issues.gerritcodereview.com

https://issues.gerritcodereview.com/issues/486131256

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-2725
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-2725",
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "dateUpdated": "2026-05-13T05:32:49.235Z",
    "dateReserved": "2026-02-18T21:50:06.426Z",
    "datePublished": "2026-05-13T05:32:49.235Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google",
        "dateUpdated": "2026-05-13T05:32:49.235Z"
      },
      "datePublic": "2026-02-26T00:00:00.000Z",
      "title": "Improper Authorization in Gerrit allowing Code Review Bypass via \"Submitted Together\"",
      "descriptions": [
        {
          "lang": "en",
          "value": "Incorrect authorization in the \"submitted together\" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the \"topic\" tag of an unapproved change.",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "Incorrect authorization in the \"submitted together\" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the \"topic\" tag of an unapproved change."
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Gerrit",
          "product": "Gerrit",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "2.12; 0",
              "status": "affected",
              "versionType": "semver"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-863 Incorrect Authorization",
              "cweId": "CWE-863",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://issues.gerritcodereview.com/issues/486131256"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        },
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ]
    }
  }
}