Release notes for Gerrit 2.6.1

The security hole may permit a modified Git client to gain access to hidden or deleted branches if the user has read permission on at least one branch in the repository. Access requires knowing a SHA-1 to request, which may be discovered out-of-band from an issue tracker or gitweb instance.