Impact
The vulnerability arises from improper authorization checks in GitLab Enterprise Edition, allowing an authenticated user to alter group‑level settings beyond their assigned permissions. This flaw could be exploited to change group visibility, feature access, or other configuration parameters, potentially undermining the intended isolation and governance of projects within the group. The impact is limited to configuration integrity rather than direct code execution or data exfiltration, resulting in a low‑severity risk as reflected by the CVSS score of 2.7.
Affected Systems
GitLab Enterprise Edition releases from version 16.10 through 18.11.6, plus 19.0.0‑19.0.3 and 19.1.0‑19.1.1, are affected. These versions allow a user with any authenticated role to modify settings that should be restricted to higher‑level group owners or administrators.
Risk and Exploitability
The CVSS score of 2.7 classifies the issue as low severity, and no EPSS data is available, indicating a low likelihood of widespread exploitation. The flaw requires the attacker to be a legitimate user with access to the affected GitLab instance; no elevated privileges or remote code execution are necessary. An attacker could send crafted API calls or use the user interface to write beyond their authorization limits, but the attack vector is confined to authenticated sessions and does not bypass core authentication mechanisms. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited threat exposure at present.
OpenCVE Enrichment