Skip to main content

GitLab EE CVE-2026-6063

| EUVDEUVD-2026-30233 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 cve@gitlab.com GHSA-57q4-65mf-59mf
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:23 vuln.today
Patch available
May 14, 2026 - 07:01 EUVD

DescriptionCVE.org

GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.

AnalysisAI

Improper access control in GitLab Enterprise Edition allows authenticated users holding only developer-role permissions to remove code owner approval rules from merge requests, effectively bypassing a critical gatekeeping control in the software development lifecycle. Affected are all GitLab EE versions from 11.10 up to (but not including) 18.9.7, 18.10.6, and 18.11.3. No public exploit or active exploitation has been identified at time of analysis; EPSS is 0.01% and CISA SSVC rates exploitation as none, indicating this is a low-urgency but organizationally meaningful integrity issue for teams relying on code owner rules for compliance or security enforcement.

Technical ContextAI

GitLab Enterprise Edition's code owner approval rules (configured via CODEOWNERS files) enforce that specific named reviewers must approve changes to designated file paths before a merge request can be merged. CWE-639 (Authorization Bypass Through User-Controlled Key) describes the root cause: the application fails to verify that the acting user is authorized to perform an operation on a specific object - in this case, an approval rule record - beyond just checking their general role. A developer-role user, who should only be able to create and contribute to merge requests, can supply or manipulate a reference to a code owner approval rule object in a way the backend does not properly gate, enabling deletion of that rule. The CPE confirms the exclusive scope: cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - this issue does not affect GitLab Community Edition.

RemediationAI

GitLab has released patches in versions 18.9.7, 18.10.6, and 18.11.3 for their respective stable branches; upgrading to the appropriate fixed release is the primary and recommended remediation. The patch release advisory is at https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/. For self-managed GitLab EE instances that cannot be immediately upgraded, a compensating control is to audit and restrict developer-role memberships on projects where CODEOWNERS-based approval rules are critical, reducing the pool of users who could trigger this bypass. Additionally, GitLab EE administrators can enable 'Require all discussions to be resolved' and monitor merge request audit logs for unexpected removal of approval rules as a detective control. Note that restricting developer access may impact development velocity and should be weighed against the organizational risk posed by the approval rule bypass. GitLab.com (SaaS) deployments are managed by GitLab and were patched by the vendor.

More in Gitlab

View all
CVE-2023-7028 CRITICAL POC
10.0 Jan 12

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.

CVE-2013-4490 MEDIUM POC
6.5 May 13

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x

CVE-2021-22205 CRITICAL POC
10.0 Apr 23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10

CVE-2022-2992 CRITICAL POC
9.9 Oct 17

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-1162 CRITICAL POC
9.8 Apr 04

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)

CVE-2022-0735 CRITICAL POC
9.8 Mar 28

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star

CVE-2021-22175 CRITICAL POC
9.8 Jun 11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af

CVE-2021-22203 CRITICAL POC
9.8 Apr 02

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta

CVE-2019-15741 CRITICAL POC
9.8 Sep 16

An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2019-6960 CRITICAL POC
9.8 Sep 09

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6

Share

CVE-2026-6063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy