Description
GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to modify group-level settings beyond their intended permissions due to improper authorization controls.
Published: 2026-07-08
Score: 2.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper authorization checks in GitLab Enterprise Edition, allowing an authenticated user to alter group‑level settings beyond their assigned permissions. This flaw could be exploited to change group visibility, feature access, or other configuration parameters, potentially undermining the intended isolation and governance of projects within the group. The impact is limited to configuration integrity rather than direct code execution or data exfiltration, resulting in a low‑severity risk as reflected by the CVSS score of 2.7.

Affected Systems

GitLab Enterprise Edition releases from version 16.10 through 18.11.6, plus 19.0.0‑19.0.3 and 19.1.0‑19.1.1, are affected. These versions allow a user with any authenticated role to modify settings that should be restricted to higher‑level group owners or administrators.

Risk and Exploitability

The CVSS score of 2.7 classifies the issue as low severity, and no EPSS data is available, indicating a low likelihood of widespread exploitation. The flaw requires the attacker to be a legitimate user with access to the affected GitLab instance; no elevated privileges or remote code execution are necessary. An attacker could send crafted API calls or use the user interface to write beyond their authorization limits, but the attack vector is confined to authenticated sessions and does not bypass core authentication mechanisms. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited threat exposure at present.

Generated by OpenCVE AI on July 9, 2026 at 04:04 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.7, 19.0.4, 19.1.2 or above.


OpenCVE Recommended Actions

  • Upgrade to GitLab Enterprise Edition 18.11.7, 19.0.4, 19.1.2 or newer to remove the authorization flaw
  • Reevaluate group‑level permission configurations, ensuring that only individuals with sufficient roles can alter settings, in line with best practices for authorization control (CWE‑863)
  • Configure audit logging and alerts to detect any unauthorized changes to group configuration, allowing rapid response if a policy violation is observed

Generated by OpenCVE AI on July 9, 2026 at 04:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to modify group-level settings beyond their intended permissions due to improper authorization controls.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-07-08T20:46:18.853Z

Reserved: 2026-06-24T10:43:58.146Z

Link: CVE-2026-13151

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses