CVE-2026-6902 Perforce CVE debrief

Who should care

Administrators, security teams, and developers operating P4 Server deployments should care, especially where the command-line client is used in automated workflows or by privileged users. Organizations that rely on Perforce-adjacent tooling or packaging should also verify whether their installations are on a fixed release.

Technical summary

The supplied NVD record for CVE-2026-6902 identifies a vulnerability in the Command-Line Client in P4 Server prior to 2025.2 Patch 2. The weakness is classified as CWE-94 (code injection). NVD's CVSS v4 vector indicates network attack potential, no privileges required, user interaction required, and high potential impact to confidentiality, integrity, and availability. The public detail is limited to the record and referenced advisory title, so no more specific exploitation path is supported by the supplied corpus.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade P4 Server to 2025.2 Patch 2 or later.
• Inventory all P4 Server instances and confirm which ones use the affected command-line client.
• Review automation, scripts, and user workflows that invoke the command-line client, especially where untrusted input may be processed.
• Limit exposure of administrative or interactive workflows to trusted users until patched.
• Monitor vendor advisories and the official NVD record for any follow-up guidance or updated scope details.

Evidence notes

This debrief uses only the supplied NVD record and its linked official reference. The NVD metadata lists the weakness as CWE-94 and the CVSS v4 vector as 7.7 HIGH. The vendor attribution in the prompt is low confidence and marked for review, with only a reference-domain hint toward Perforce. No exploit details, affected-version breadth beyond "prior to 2025.2 Patch 2," or remediation specifics beyond upgrading are supported by the source corpus.

Official resources