Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention settings due to improper authorization checks.
Published: 2026-04-22
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass
Action: Immediate patch
AI Analysis

Impact

GitLab has an authorization flaw that allows an authenticated user with project owner rights to bypass group fork prevention settings. The issue stems from improper authorization checks in the fork logic and is categorized as CWE‑863. Consequently, a project owner can create forks in groups that are intended to be protected, potentially exposing sensitive code or data.

Affected Systems

GitLab Community Edition and Enterprise Edition are affected, including every release from version 11.2 up to but not including 18.9.6, all releases before 18.10.4 within the 18.10 lineage, and all releases before 18.11.1 within the 18.11 lineage. The vulnerability is present only in CE/EE builds with the default fork protection features enabled.

Risk and Exploitability

With a CVSS score of 2.7, the vulnerability is classified as low severity. No EPSS data is available and the bug is not listed in CISA's KEV catalog, indicating no known widespread exploitation. The attack requires an authenticated project owner to exploit the flaw, suggesting that it is not easily leveraged by unauthenticated attackers. As a result, the overall risk to organizations is low, but the potential impact on confidentiality where group fork prevention is critical should not be ignored.

Generated by OpenCVE AI on April 22, 2026 at 18:21 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.9.6, 18.10.4, 18.11.1 or any newer release to address the authorization flaw.
  • Re‑enable group fork prevention settings in all affected projects and groups to reinforce access control after the upgrade.
  • If the upgrade cannot be applied immediately, restrict the number of project owner accounts and disable fork permissions for critical projects until the patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:enterprise:*:*:*

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user with project owner permissions to bypass group fork prevention settings due to improper authorization checks.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-22T17:34:06.772Z

Reserved: 2025-09-03T16:05:53.191Z

Link: CVE-2025-9957

cve-icon Vulnrichment

Updated: 2026-04-22T17:33:51.237Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:33.557

Modified: 2026-04-23T20:46:07.997

Link: CVE-2025-9957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:15:24Z

Weaknesses