Description
GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1 in which incorrect authorization in DAST site profile management could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In GitLab Enterprise Edition, an incorrect authorization flaw in DAST site profile management can let a user with a role expose stored DAST site profile secrets, representing a breach of confidentiality under the condition that the user can reach the profile management interface. The vulnerability maps to CWE-863, indicating a flaw in access control enforcement.

Affected Systems

The issue affects GitLab versions starting from 13.11 up to (but not including) 18.11.6, 19.0, and 19.1 up to (but not including) 19.0.3 and 19.1.1. All products listed under the GitLab:GitLab vendor/product pair are impacted unless they have been patched to the newer releases.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available, so the likelihood of exploitation is currently unknown. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be internal or internal network, requiring the attacker to possess a Developer role and access to the DAST site profile management functions; no remote execution or network-level entry is described.

Generated by OpenCVE AI on June 25, 2026 at 06:51 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.11.6, 19.0.3, 19.1.1 or later as provided by the vendor.
  • Limit Developer role permissions to restrict access to DAST site profile management; apply least‑privilege settings if possible.
  • If DAST site profile secrets are not required, disable the feature or store secrets externally to reduce exposure.

Generated by OpenCVE AI on June 25, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1 in which incorrect authorization in DAST site profile management could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-25T04:33:49.041Z

Reserved: 2026-06-05T12:50:38.119Z

Link: CVE-2026-11379

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T07:00:11Z

Weaknesses