GitLab’s group import process contains an improper authorization validation flaw that can allow an authenticated user who possesses group import permissions to create labels in private projects. This missing authorization (CWE‑862) results in the ability to alter project metadata without proper consent, but does not provide additional powers such as code execution, data exfiltration, or privilege escalation. The effect is limited to the creation of unauthorized labels, which could be used to obscure malicious activity or facilitate social engineering within a private project.

All installations of GitLab Community Edition and Enterprise Edition are affected when they include the group import functionality and are running a version that falls within one of the following ranges: from version 14.4 up to but not including 18.7.6, from 18.8 up to but not including 18.8.6, or from 18.9 up to but not including 18.9.2. Any deployment that has at least one user with group import permissions and is within these version ranges is therefore vulnerable.

The vulnerability carries a CVSS base score of 4.3, indicating a low to moderate severity level. The EPSS score is below 1%, suggesting that exploitation is unlikely to be widespread. It is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with existing group import permissions; no additional external access or preconditions are required. The attack vector is authenticated and confined to the boundaries of the user’s import rights, which limits the potential impact to label creation within private projects.