Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authorization flaw in GitLab allows a user with developer role to delete protected container registry tags. The vulnerability stems from missing authorization checks during the delete operation. If exploited the attacker can modify or remove important images, potentially leading to loss of application integrity, supply‑chain contamination, or denial of service to teams relying on those images.

Affected Systems

GitLab Community and Enterprise editions are affected. Versions are all releases from 17.10 up to, but not including, 18.9.7, from 18.10 up to 18.10.6, and from 18.11 up to 18.11.3. The vendor responsible is GitLab Inc.

Risk and Exploitability

The CVSS score is 4.3, indicating a low to moderate severity. EPSS information is missing, so exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog. Attack requires an authenticated session with developer‑level permissions, so the attack surface is limited to committed users of the impacted GitLab instance.

Generated by OpenCVE AI on May 14, 2026 at 07:50 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.9.7, 18.10.6, 18.11.3 or later. This patch removes the missing authorization check.
  • Re‑evaluate developer access for projects that use the container registry and enforce least privilege, ensuring only trusted developers have deletion rights.
  • Enable audit logging for container registry actions to detect and respond to unauthorized deletions.

Generated by OpenCVE AI on May 14, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks.
Title Authorization Bypass Through User-Controlled Key in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-639
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:05:58.427Z

Reserved: 2026-01-22T14:04:11.747Z

Link: CVE-2026-1338

cve-icon Vulnrichment

Updated: 2026-05-14T13:05:54.240Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:21.520

Modified: 2026-05-16T03:36:54.020

Link: CVE-2026-1338

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:00:11Z

Weaknesses