Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.
AnalysisAI
Improper access control in GitLab Enterprise Edition allows authenticated users holding only developer-role permissions to remove code owner approval rules from merge requests, effectively bypassing a critical gatekeeping control in the software development lifecycle. Affected are all GitLab EE versions from 11.10 up to (but not including) 18.9.7, 18.10.6, and 18.11.3. No public exploit or active exploitation has been identified at time of analysis; EPSS is 0.01% and CISA SSVC rates exploitation as none, indicating this is a low-urgency but organizationally meaningful integrity issue for teams relying on code owner rules for compliance or security enforcement.
Technical ContextAI
GitLab Enterprise Edition's code owner approval rules (configured via CODEOWNERS files) enforce that specific named reviewers must approve changes to designated file paths before a merge request can be merged. CWE-639 (Authorization Bypass Through User-Controlled Key) describes the root cause: the application fails to verify that the acting user is authorized to perform an operation on a specific object - in this case, an approval rule record - beyond just checking their general role. A developer-role user, who should only be able to create and contribute to merge requests, can supply or manipulate a reference to a code owner approval rule object in a way the backend does not properly gate, enabling deletion of that rule. The CPE confirms the exclusive scope: cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - this issue does not affect GitLab Community Edition.
RemediationAI
GitLab has released patches in versions 18.9.7, 18.10.6, and 18.11.3 for their respective stable branches; upgrading to the appropriate fixed release is the primary and recommended remediation. The patch release advisory is at https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/. For self-managed GitLab EE instances that cannot be immediately upgraded, a compensating control is to audit and restrict developer-role memberships on projects where CODEOWNERS-based approval rules are critical, reducing the pool of users who could trigger this bypass. Additionally, GitLab EE administrators can enable 'Require all discussions to be resolved' and monitor merge request audit logs for unexpected removal of approval rules as a detective control. Note that restricting developer access may impact development velocity and should be weighed against the organizational risk posed by the approval rule bypass. GitLab.com (SaaS) deployments are managed by GitLab and were patched by the vendor.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30233
GHSA-57q4-65mf-59mf