Description
A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks.
Published: 2026-05-18
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can exploit the Command‑Line Client of Perforce P4 (Helix Core) before the 2025.2 Patch 2 upgrade to inject and execute arbitrary code on the server. This vulnerability is a classic code‑injection flaw (CWE‑94) that can compromise confidentiality, integrity, and availability of the server and the data it stores.

Affected Systems

Perforce P4 (Helix Core) servers running versions prior to 2025.2 Patch 2 are affected.

Risk and Exploitability

The CVSS score of 7.7 classifies it as high severity. EPSS is not available, but the vulnerability is not listed in KEV, suggesting limited known exploitation. Nevertheless, as the flaw enables remote code execution via the command‑line interface, the potential damage is high. Without a patch, attackers could gain full control of the server by supplying malicious input when using the client.

Generated by OpenCVE AI on May 18, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to P4 Server 2025.2 Patch 2 or later, which contains the fix.
  • Disable or restrict access to the command‑line client for untrusted users if an immediate upgrade is not possible.
  • Apply sandboxing or application‑layer firewall rules to limit the commands that can be executed via the client as a temporary mitigation.
  • Check Perforce’s website for updated patches and security advisories to stay current with future fixes.

Generated by OpenCVE AI on May 18, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks.
Title Code Injection in Perforce P4 (Helix Core)
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Perforce

Published:

Updated: 2026-05-18T07:49:16.460Z

Reserved: 2026-04-23T09:27:12.742Z

Link: CVE-2026-6902

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T09:16:24.283

Modified: 2026-05-18T09:16:24.283

Link: CVE-2026-6902

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T11:00:11Z

Weaknesses