Search criteria
3 vulnerabilities by Gerrit
CVE-2026-2725 (GCVE-0-2026-2725)
Vulnerability from cvelistv5 – Published: 2026-05-13 05:32 – Updated: 2026-05-13 14:44
VLAI
Title
Improper Authorization in Gerrit allowing Code Review Bypass via "Submitted Together"
Summary
Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the "topic" tag of an unapproved change.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Date Public
2026-02-26 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2725",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T14:43:52.068693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T14:44:08.541Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://issues.gerritcodereview.com/issues/486131256"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gerrit",
"vendor": "Gerrit",
"versions": [
{
"status": "affected",
"version": "2.12; 0",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect authorization in the \"submitted together\" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the \"topic\" tag of an unapproved change."
}
],
"value": "Incorrect authorization in the \"submitted together\" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted branches via a crafted submission matching the \"topic\" tag of an unapproved change."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
},
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T05:32:49.235Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://issues.gerritcodereview.com/issues/486131256"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Authorization in Gerrit allowing Code Review Bypass via \"Submitted Together\"",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2026-2725",
"datePublished": "2026-05-13T05:32:49.235Z",
"dateReserved": "2026-02-18T21:50:06.426Z",
"dateUpdated": "2026-05-13T14:44:08.541Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-8920 (GCVE-0-2020-8920)
Vulnerability from cvelistv5 – Published: 2020-12-10 10:15 – Updated: 2024-08-04 10:12
VLAI
Title
Overoptimization leads to private information leak in Gerrit
Summary
An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users' personal information associated with their accounts.
Severity
CWE
- CWE-285 - Improper Authorization
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://www.gerritcodereview.com/2.15.html#21521 | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/2.16.html#21625 | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/3.0.html#3014 | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/3.1.html#3110 | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/3.2.html#325 | x_refsource_CONFIRM |
| https://gerrit.googlesource.com/gerrit/+/45071d69… | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/2.14.html#21422 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.990Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/2.15.html#21521"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/2.16.html#21625"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/3.0.html#3014"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/3.1.html#3110"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/3.2.html#325"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.googlesource.com/gerrit/+/45071d6977932bca5a1427c8abad24710fed2e33"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/2.14.html#21422"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Gerrit",
"vendor": "Gerrit",
"versions": [
{
"changes": [
{
"at": "2.15.21",
"status": "unaffected"
},
{
"at": "2.16.25",
"status": "unaffected"
},
{
"at": "3.0.15",
"status": "unaffected"
},
{
"at": "3.1.10",
"status": "unaffected"
},
{
"at": "3.2.5",
"status": "unaffected"
}
],
"lessThan": "2.14.22",
"status": "affected",
"version": "stable",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users\u0027 personal information associated with their accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-10T10:15:23.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/2.15.html#21521"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/2.16.html#21625"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/3.0.html#3014"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/3.1.html#3110"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/3.2.html#325"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.googlesource.com/gerrit/+/45071d6977932bca5a1427c8abad24710fed2e33"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/2.14.html#21422"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Overoptimization leads to private information leak in Gerrit",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2020-8920",
"STATE": "PUBLIC",
"TITLE": "Overoptimization leads to private information leak in Gerrit"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Gerrit",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "2.14.22"
},
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "2.15.21"
},
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "2.16.25"
},
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "3.0.15"
},
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "3.1.10"
},
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "3.2.5"
}
]
}
}
]
},
"vendor_name": "Gerrit"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information leak vulnerability exists in Gerrit versions prior to 2.14.22, 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where an overoptimization with the FilteredRepository wrapper skips the verification of access on All-Users repositories, allowing an attacker to get read access to all users\u0027 personal information associated with their accounts."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.gerritcodereview.com/2.15.html#21521",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/2.15.html#21521"
},
{
"name": "https://www.gerritcodereview.com/2.16.html#21625",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/2.16.html#21625"
},
{
"name": "https://www.gerritcodereview.com/3.0.html#3014",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/3.0.html#3014"
},
{
"name": "https://www.gerritcodereview.com/3.1.html#3110",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/3.1.html#3110"
},
{
"name": "https://www.gerritcodereview.com/3.2.html#325",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/3.2.html#325"
},
{
"name": "https://gerrit.googlesource.com/gerrit/+/45071d6977932bca5a1427c8abad24710fed2e33",
"refsource": "CONFIRM",
"url": "https://gerrit.googlesource.com/gerrit/+/45071d6977932bca5a1427c8abad24710fed2e33"
},
{
"name": "https://www.gerritcodereview.com/2.14.html#21422",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/2.14.html#21422"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2020-8920",
"datePublished": "2020-12-10T10:15:23.000Z",
"dateReserved": "2020-02-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:12:10.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8919 (GCVE-0-2020-8919)
Vulnerability from cvelistv5 – Published: 2020-12-10 10:15 – Updated: 2024-08-04 10:12
VLAI
Title
Information leakage in Gerrit
Summary
An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user's personal account data as well as sub-trees with restricted access.
Severity
CWE
- CWE-285 - Improper Authorization
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://gerrit.googlesource.com/gerrit/+/0532fb87… | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/2.15.html#21521 | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/2.16.html#21625 | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/3.0.html#3014 | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/3.1.html#3110 | x_refsource_CONFIRM |
| https://www.gerritcodereview.com/3.2.html#325 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:12:10.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/2.15.html#21521"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/2.16.html#21625"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/3.0.html#3014"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/3.1.html#3110"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.gerritcodereview.com/3.2.html#325"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Gerrit",
"vendor": "Gerrit",
"versions": [
{
"changes": [
{
"at": "2.16.25",
"status": "unaffected"
},
{
"at": "3.0.15",
"status": "unaffected"
},
{
"at": "3.1.10",
"status": "unaffected"
},
{
"at": "3.2.5",
"status": "unaffected"
}
],
"lessThan": "2.15.21",
"status": "affected",
"version": "stable",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user\u0027s personal account data as well as sub-trees with restricted access."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-10T10:15:22.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/2.15.html#21521"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/2.16.html#21625"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/3.0.html#3014"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/3.1.html#3110"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.gerritcodereview.com/3.2.html#325"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Information leakage in Gerrit",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2020-8919",
"STATE": "PUBLIC",
"TITLE": "Information leakage in Gerrit"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Gerrit",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "2.15.21"
},
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "2.16.25"
},
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "3.0.15"
},
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "3.1.10"
},
{
"version_affected": "\u003c",
"version_name": "stable",
"version_value": "3.2.5"
}
]
}
}
]
},
"vendor_name": "Gerrit"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information leak vulnerability exists in Gerrit versions prior to 2.15.21, 2.16.25, 3.0.15, 3.1.10, 3.2.5 where a missing access check on the branch REST API allows an attacker with only the default set of priviledges to read all other user\u0027s personal account data as well as sub-trees with restricted access."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285 Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65",
"refsource": "CONFIRM",
"url": "https://gerrit.googlesource.com/gerrit/+/0532fb876cb86bc091a91f78e6f28fff9e39ca65"
},
{
"name": "https://www.gerritcodereview.com/2.15.html#21521",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/2.15.html#21521"
},
{
"name": "https://www.gerritcodereview.com/2.16.html#21625",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/2.16.html#21625"
},
{
"name": "https://www.gerritcodereview.com/3.0.html#3014",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/3.0.html#3014"
},
{
"name": "https://www.gerritcodereview.com/3.1.html#3110",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/3.1.html#3110"
},
{
"name": "https://www.gerritcodereview.com/3.2.html#325",
"refsource": "CONFIRM",
"url": "https://www.gerritcodereview.com/3.2.html#325"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2020-8919",
"datePublished": "2020-12-10T10:15:22.000Z",
"dateReserved": "2020-02-12T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:12:10.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}