A missing permission check in the review handling of openSUSE Open Build Service before 2.9.3 allowed all authenticated users to modify sources in projects where they do not have write permissions.