Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks.
AnalysisAI
GitLab Enterprise Edition's instance-level approval rule editing prevention control can be bypassed by authenticated Maintainer-level users due to missing server-side authorization checks (CWE-862). Affected are all GitLab EE versions from 16.10 through before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. An attacker holding Maintainer permissions can modify or delete project approval rules even when an administrator has explicitly enabled the instance-level restriction designed to prevent such changes, undermining the integrity of merge request approval workflows. No public exploit identified at time of analysis, and EPSS is at the 1st percentile, indicating negligible opportunistic exploitation risk.
Technical ContextAI
GitLab EE includes an instance-level administrative control that is intended to lock down project-level approval rule editing, preventing even high-privilege project users such as Maintainers from altering merge request approval requirements after an administrator sets them. The vulnerability is rooted in CWE-862 (Missing Authorization): when a Maintainer submits a request to modify or delete a project approval rule, the server fails to verify whether the instance-level prevention flag is active before processing the action. The CPE string cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* confirms this is exclusive to the Enterprise Edition, covering a wide version band from 16.10 onward. The CVSS vector AV:N/AC:L/PR:H/UI:N reflects a network-accessible API endpoint that requires no user interaction but does require the attacker to already hold high-level project privileges. The missing check is an authorization bypass rather than an authentication bypass despite the tag, as authenticated sessions are still required.
RemediationAI
GitLab has released patched versions that resolve this missing authorization check. Administrators should upgrade GitLab EE to version 18.9.7, 18.10.6, or 18.11.3 depending on their current release track, as documented in the official patch release blog at https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/. If immediate upgrade is not possible, a compensating control is to review and reduce the Maintainer-role membership on projects where approval rule integrity is critical - specifically removing the Maintainer role from untrusted users, since the vulnerability requires Maintainer-level access. Note that downgrading Maintainer accounts to Developer will limit their ability to manage other project settings as a side effect. Disabling the instance-level approval rule editing prevention feature is not a recommended workaround, as it removes the intended policy control entirely. The HackerOne report at https://hackerone.com/reports/3561092 may contain additional technical detail once disclosed.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30223
GHSA-8xwh-m77v-v26p