What is the CVSS score of CVE-2025-5121?

CVE-2025-5121 has a CVSS 3.1 base score of 8.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Gitlab are affected by CVE-2025-5121?

A missing authorization check in GitLab allows compliance frameworks to be inappropriately applied across project boundaries, potentially exposing sensitive projects to unintended compliance policies…. A patch is available.

How to fix or mitigate CVE-2025-5121?

Within 24 hours: Inventory all GitLab instances running affected versions (17.11 before 17.11.4, 18.0 before 18.0.2) and identify which have compliance frameworks configured. Within 7 days: Audit compliance framework assignments to detect unauthorized cross-group/cross-project applications and document findings; implement temporary feature restrictions if feasible. Within 30 days: Upgrade to patched versions (17.11.4 or 18.0.2+) and re-validate compliance framework scoping post-patching.

Gitlab CVE-2025-5121

EUVD-2025-28396 HIGH

Missing Authorization (CWE-862)

2025-06-20 cve@gitlab.com

Privilege Escalation Gitlab

8.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 15, 2026 - 00:19 euvd

EUVD-2025-28396

Analysis Generated

Mar 15, 2026 - 00:19 vuln.today

CVE Published

Jun 20, 2025 - 18:15 nvd

HIGH 8.5

DescriptionNVD

An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group.

AnalysisAI

GitLab CE/EE contains a missing authorization check (CWE-862) in its compliance frameworks feature that allows authenticated users with limited privileges to apply compliance frameworks to projects outside the intended scope of the framework's group, potentially affecting confidentiality, integrity, and availability. This vulnerability affects GitLab versions 17.11 before 17.11.4 and 18.0 before 18.0.2. The CVSS 8.5 score reflects high severity due to the scope change and multiple impact categories, though exploitation requires low-level user authentication and higher-than-typical attack complexity.

Technical ContextAI

GitLab's compliance frameworks feature allows administrators to define and enforce compliance policies at the group level. The vulnerability stems from inadequate authorization validation (CWE-862: Missing Authorization) in the compliance framework application logic, failing to properly verify that a user attempting to apply a framework to a project has the requisite permissions over both the framework's source group and the target project. This authorization bypass operates at the API/application layer, allowing privilege escalation within the GitLab instance. The affected products are GitLab Community Edition (CE) and Enterprise Edition (EE), which are web-based DevOps platforms built in Ruby on Rails. The flaw likely exists in the compliance framework controller or service layer responsible for validating scope boundaries before framework application.

RemediationAI

Immediate remediation: upgrade GitLab to version 17.11.4 or 18.0.2 (or later stable releases). For organizations unable to immediately patch: (1) restrict compliance framework management permissions to trusted administrators only; (2) audit compliance framework application logs to identify any unauthorized cross-group/cross-project applications; (3) implement network-level access controls to limit who can access GitLab API endpoints related to compliance frameworks; (4) disable compliance frameworks feature temporarily if not critical to operations. Refer to GitLab's official security advisory for detailed patching instructions and rollout guidance specific to your deployment (self-managed vs. SaaS).

More from same product – last 7 days

CVE-2026-3515 HIGH This Week

8.5 May 24

Command injection in Prefect 3.6.18's GitHub integration allows authenticated users to execute arbitrary git commands th

CVE-2026-9807 MEDIUM This Month POC

4.3 May 28

Incorrect authorization enforcement in GitLab CE/EE permits a blocked Project Access Token to continue reading private p

CVE-2026-4868 HIGH This Week

8.2 May 27

Identity confusion in GitLab EE's Duo AI workflow runners lets an authenticated, low-privileged user cause specific Duo

CVE-2026-1402 MEDIUM This Month

6.5 May 27

Denial of service in GitLab CE/EE affects all versions from 17.1 through those prior to 18.10.7, 18.11.4, and 19.0.1, al

CVE-2026-6713 MEDIUM This Month

5.3 May 27

Unauthorized private project enumeration in GitLab CE/EE exposes confidential project metadata to unauthenticated networ

Vendor StatusVendor

Ubuntu

Priority: Medium

gitlab

Release	Status	Version
xenial	ignored	-
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	needs-triage	-

Debian

gitlab

Release	Status	Fixed Version	Urgency
sid	vulnerable	17.6.5-19	-
(unstable)	fixed	(unfixed)	-

CVE-2025-5121 vulnerability details – vuln.today

Back

Gitlab CVE-2025-5121

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code