PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2725 Google CVE debrief

CVE-2026-2725 is a medium-severity vulnerability in Gerrit, a code review system developed by Google. The vulnerability is caused by incorrect authorization in the 'submitted together' feature, which allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches. This can be done by crafting a submission that matches the 'topic' tag of an unapproved change. The vulnerability affects Gerrit versions 2.12 and later. The CVE was published on May 13, 2026, and modified on June 30, 2026.

Vendor
Google
Product
Gerrit
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-13
Original CVE updated
2026-06-30
Advisory published
2026-05-13
Advisory updated
2026-06-30

Who should care

Organizations using Gerrit for code review should be aware of this vulnerability and take steps to mitigate it. Specifically, administrators of Gerrit instances should review their configuration and ensure that proper authorization is in place for code submissions. Developers who use Gerrit to submit code should be cautious when working with restricted branches and ensure that they are not inadvertently bypassing code review.

Technical summary

The vulnerability is caused by a lack of proper authorization in the 'submitted together' feature of Gerrit. This feature allows multiple changes to be submitted together as a single unit. However, in Gerrit versions 2.12 and later, an authenticated attacker with force push permissions on a secondary branch can exploit this feature to bypass code review and submit code to restricted branches. The attacker can do this by creating a new change that matches the 'topic' tag of an unapproved change, allowing them to forcefully submit code to restricted branches.

Defensive priority

Medium

Recommended defensive actions

  • Review Gerrit instance configuration to ensure proper authorization for code submissions
  • Monitor for suspicious activity on restricted branches
  • Implement additional logging and auditing to detect potential exploits
  • Apply patches or updates provided by the vendor to fix the vulnerability
  • Consider implementing compensating controls, such as additional code review steps, to mitigate the risk of exploitation

Evidence notes

The CVE-2026-2725 vulnerability was identified in Gerrit versions 2.12 and later. The vulnerability allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches. The CVE was published on May 13, 2026, and modified on June 30, 2026. The vendor, Google, has provided patches and updates to fix the vulnerability.

Official resources

This article was generated with AI assistance based on the supplied source corpus.