Skip to main content

GitLab EE EUVDEUVD-2026-30223

| CVE-2026-2900 LOW
Missing Authorization (CWE-862)
2026-05-14 cve@gitlab.com GHSA-8xwh-m77v-v26p
2.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.7 LOW
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 12:54 vuln.today
Patch available
May 14, 2026 - 07:01 EUVD

DescriptionCVE.org

GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks.

AnalysisAI

GitLab Enterprise Edition's instance-level approval rule editing prevention control can be bypassed by authenticated Maintainer-level users due to missing server-side authorization checks (CWE-862). Affected are all GitLab EE versions from 16.10 through before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. An attacker holding Maintainer permissions can modify or delete project approval rules even when an administrator has explicitly enabled the instance-level restriction designed to prevent such changes, undermining the integrity of merge request approval workflows. No public exploit identified at time of analysis, and EPSS is at the 1st percentile, indicating negligible opportunistic exploitation risk.

Technical ContextAI

GitLab EE includes an instance-level administrative control that is intended to lock down project-level approval rule editing, preventing even high-privilege project users such as Maintainers from altering merge request approval requirements after an administrator sets them. The vulnerability is rooted in CWE-862 (Missing Authorization): when a Maintainer submits a request to modify or delete a project approval rule, the server fails to verify whether the instance-level prevention flag is active before processing the action. The CPE string cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* confirms this is exclusive to the Enterprise Edition, covering a wide version band from 16.10 onward. The CVSS vector AV:N/AC:L/PR:H/UI:N reflects a network-accessible API endpoint that requires no user interaction but does require the attacker to already hold high-level project privileges. The missing check is an authorization bypass rather than an authentication bypass despite the tag, as authenticated sessions are still required.

RemediationAI

GitLab has released patched versions that resolve this missing authorization check. Administrators should upgrade GitLab EE to version 18.9.7, 18.10.6, or 18.11.3 depending on their current release track, as documented in the official patch release blog at https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/. If immediate upgrade is not possible, a compensating control is to review and reduce the Maintainer-role membership on projects where approval rule integrity is critical - specifically removing the Maintainer role from untrusted users, since the vulnerability requires Maintainer-level access. Note that downgrading Maintainer accounts to Developer will limit their ability to manage other project settings as a side effect. Disabling the instance-level approval rule editing prevention feature is not a recommended workaround, as it removes the intended policy control entirely. The HackerOne report at https://hackerone.com/reports/3561092 may contain additional technical detail once disclosed.

More in Gitlab

View all
CVE-2023-7028 CRITICAL POC
10.0 Jan 12

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.

CVE-2013-4490 MEDIUM POC
6.5 May 13

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x

CVE-2021-22205 CRITICAL POC
10.0 Apr 23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10

CVE-2022-2992 CRITICAL POC
9.9 Oct 17

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-1162 CRITICAL POC
9.8 Apr 04

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)

CVE-2022-0735 CRITICAL POC
9.8 Mar 28

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star

CVE-2021-22175 CRITICAL POC
9.8 Jun 11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af

CVE-2021-22203 CRITICAL POC
9.8 Apr 02

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta

CVE-2019-15741 CRITICAL POC
9.8 Sep 16

An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2019-6960 CRITICAL POC
9.8 Sep 09

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6

Share

EUVD-2026-30223 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy