Description
GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.
Published: 2026-06-25
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab Enterprise Edition contains an authorization flaw that allows an authenticated user with a custom role to view, create, or delete protected environment configurations even when CI/CD visibility is disabled for the project. The flaw permits unauthorized access to configuration data that is normally restricted in protected environments.

Affected Systems

GitLab Enterprise Edition versions 17.9 through 18.11.5, 19.0 through 19.0.2, and 19.1 through 19.1.0 are affected. All releases from 18.11.6, 19.0.3, 19.1.1 onward contain the fix.

Risk and Exploitability

The CVSS score of 3.8 indicates a low overall risk. Exploitation requires a valid authenticated session with custom role permissions, so the attack is credential-based. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The overall likelihood of widespread exploitation is considered limited, though it remains a concern in environments that grant extensive custom role permissions.

Generated by OpenCVE AI on June 25, 2026 at 06:50 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab EE 18.11.6, 19.0.3, 19.1.1 or newer.
  • Restrict custom role permissions so they cannot access protected environment configurations.
  • Verify that CI/CD visibility settings are applied correctly and monitor for unauthorized configuration changes.

Generated by OpenCVE AI on June 25, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-25T12:50:22.510Z

Reserved: 2026-01-14T08:33:35.395Z

Link: CVE-2026-0934

cve-icon Vulnrichment

Updated: 2026-06-25T12:50:15.718Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T09:15:04Z

Weaknesses