Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Developer-role authentication required (PR:L); only Maven metadata integrity affected (I:L); no confidentiality or availability impact; scope unchanged as exploitation is confined to the GitLab instance.
Primary rating from Vendor (gitlab).
CVSS VectorVendor: gitlab
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite protected Maven package metadata due to incorrect authorization checks.
AnalysisAI
Incorrect authorization in GitLab CE/EE allows authenticated users holding developer-role permissions to bypass Maven package protection rules and overwrite protected package metadata. All GitLab versions from 17.11 through 18.11.5, 19.0.0 through 19.0.2, and 19.1.0 are affected, with patched releases available across all three trains. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) a valid GitLab account with at minimum developer-role permissions in the target project or group - guest and reporter roles are insufficient; (2) the target project must have Maven package protection rules explicitly configured by an administrator or maintainer, as projects without these rules have no protection to bypass; (3) the attacker targets the Maven package metadata write endpoint specifically - no evidence suggests other package formats (npm, PyPI, etc.) are affected by this same flaw. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated GitLab user with developer-role membership in a target project crafts a Maven metadata write request - such as updating maven-metadata.xml - targeting a package governed by protection rules that should normally block developer-level writes. The incorrect authorization check passes the request through, allowing the developer to overwrite the protected metadata with attacker-controlled content. … |
| Remediation | The primary fix is to upgrade GitLab CE/EE to one of the three patched releases: 18.11.6, 19.0.3, or 19.1.1, as detailed in the GitLab patch release notes at https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39173
GHSA-8vj4-48p6-q87m