Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
6DescriptionCVE.org
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.
AnalysisAI
GitLab CE/EE versions 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 allow authenticated users to access Virtual Registries using invalidated or incorrectly scoped credentials under certain conditions, resulting in unauthorized information disclosure and modification. The vulnerability requires valid user credentials and network access but no user interaction, affecting confidentiality and integrity with partial technical impact per SSVC. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
The vulnerability stems from improper credential validation and scope enforcement in GitLab's Virtual Registry functionality (CWE-613: Insufficient Session Expiration). Virtual Registries are containerized artifact storage systems that rely on credential-based access control. The flaw occurs when GitLab fails to properly invalidate or enforce scope boundaries on user credentials during registry access decisions, allowing a logged-in user to leverage credentials beyond their intended authorization scope. This affects the entire GitLab CE/EE product family (cpe:2.3:a:gitlab:gitlab) across the specified version ranges, and the issue is authentication-dependent, requiring valid user session credentials to exploit.
RemediationAI
Vendor-released patches are available: upgrade GitLab to version 18.9.6, 18.10.4, 18.11.1, or later per the official GitLab patch release (https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released/). For environments unable to patch immediately, implement the following compensating controls: audit and revoke any service account credentials or API tokens that have been granted broader registry access scopes than necessary (trade-off: administrative overhead and potential application disruption if credentials are actively used); restrict network access to Virtual Registry endpoints to specific IP ranges or networks where authenticated users legitimately access registries (trade-off: may block legitimate remote access); enforce multi-factor authentication (MFA) for all user accounts with registry access permissions (trade-off: user experience friction); and implement continuous monitoring of Virtual Registry credential usage to detect abnormal access patterns by users accessing registries with invalidated or out-of-scope credentials. Patching is the primary remediation and should be prioritized for instances with sensitive container image registries or shared multi-tenant deployments.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25048
GHSA-h8q5-vxrg-qgmf