Skip to main content

GitLab EE EUVD-2026-36229

| CVE-2026-6552 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-11 GitLab GHSA-r82j-g6q9-mvx8
Gitlab Authentication Bypass
8.7
CVSS 3.1 · Vendor: GitLab
Share

Severity by source

Vendor (GitLab) PRIMARY
8.7 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network-reachable web flow, low complexity, requires high-privilege group Owner role, no user interaction, scope changes to victim account with full confidentiality and integrity loss but no availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitLab).

CVSS VectorVendor: GitLab

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 13:01 EUVD
Analysis Generated
Jun 11, 2026 - 11:53 vuln.today
CVE Published
Jun 11, 2026 - 10:20 cve.org
HIGH 8.7

DescriptionCVE.org

GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member's GitLab account due to improper authorization in the Group SAML identity management functionality.

Articles & Coverage 2

News 5 New GitLab Vulnerabilities - 5 High Severity, 4 With POC Jun 12, 2026 News 4 New GitLab Vulnerabilities - 4 High Severity, All With POC Jun 11, 2026

AnalysisAI

Account takeover in GitLab Enterprise Edition versions 15.5 through 19.0.2 allows an authenticated group Owner to hijack other group members' accounts through improper authorization in the Group SAML identity management functionality. Publicly available exploit code exists via a HackerOne report, and GitLab released patched versions 18.10.8, 18.11.5, and 19.0.2 on 2026-06-10. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise group Owner role
Delivery
Identify victim member in SAML-enabled group
Exploit
Abuse Group SAML identity-binding endpoint
Execution
Rebind victim account to attacker-controlled NameID
Persist
Authenticate via IdP as victim
Impact
Access victim's repositories, tokens, and CI/CD
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must already hold the group Owner role on a GitLab EE group that has Group SAML identity management configured (an EE-tier-only feature on Premium/Ultimate, on self-managed instances running 15.5 through pre-patched 19.0.2 or on GitLab.com pre-fix), and the victim must be a member of that same group. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N reports a network-reachable, low-complexity attack requiring high privileges (group Owner) with no user interaction and a changed scope, scoring 8.7 - appropriate because a single compromised or malicious Owner can pivot to fully controlled accounts outside their authority boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious group Owner - or an attacker who has phished or otherwise taken over an Owner account - on a GitLab EE group configured with Group SAML manipulates the SAML identity-binding flow to associate their controlled SAML NameID with a victim group member's GitLab account, then authenticates via the IdP and logs in as the victim. Because exploit code is publicly referenced via HackerOne report 3655189, the attacker can follow a known recipe; the result is full takeover of the victim account including repository access, tokens, and any downstream CI/CD privileges.
Remediation Vendor-released patches are available: upgrade self-managed GitLab EE to 18.10.8, 18.11.5, or 19.0.2 (or later) per the GitLab patch release at https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/; GitLab.com is already updated by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all GitLab Enterprise Edition instances and identify those running versions 15.5-19.0.1. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8589 HIGH POC
8.7 Jun 11

Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18
CVE-2026-10087 HIGH POC
8.7 Jun 11

Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role us
CVE-2026-7250 HIGH POC
7.5 Jun 11

Denial of service in GitLab CE/EE versions 12.10 through 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 allows un
CVE-2026-1500 MEDIUM POC
6.5 Jun 11

Uncontrolled resource consumption in GitLab CE/EE's file upload processing pipeline enables any authenticated user to tr
CVE-2026-6269 MEDIUM POC
5.4 Jun 11

Incorrect authorization enforcement in GitLab CE/EE exposes hidden merge requests to unauthorized modification by authen

Share

EUVD-2026-36229 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy