Description
GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.
Published: 2026-02-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of protected packages by users with insufficient privileges
Action: Apply Patches
AI Analysis

Impact

GitLab experienced an authentication bypass flaw that could let users holding a Developer role modify protected Conan packages without proper authorization. The defect originates from the handling of alternate paths or channels that bypass normal permission checks. If exploited, it would allow a non-admin user to alter package metadata or contents, potentially compromising downstream users and systems that rely on those packages.

Affected Systems

The vulnerability affects GitLab Enterprise Edition and Community Edition across all major releases starting with 17.11 up to before 18.7.5, from 18.8 before 18.8.5, and from 18.9 before 18.9.1. Restoring to any of the patched releases – 18.7.5, 18.8.5, 18.9.1 or later – eliminates the weakness.

Risk and Exploitability

The CVSS v3.1 base score is 4.3, placing the issue in the moderate range. EPSS indicates the exploitation probability is below 1 %. The flaw is not currently listed in the CISA KEV catalog. Exploitation would require an attacker to be a Developer‑role user on a vulnerable instance and to access the vulnerable package management interface or API path that triggers the bypass. No additional host, network, or local prerequisites are required beyond legitimate user credentials.

Generated by OpenCVE AI on April 17, 2026 at 14:56 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.5, 18.8.5, 18.9.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab EE or EE Community to version 18.7.5, 18.8.5, 18.9.1 or any newer release provided by the vendor
  • Verify that all protected Conan packages are configured to require higher‑level permissions for modification
  • Audit user roles and reduce unnecessary Developer access on repositories that expose protected packages

Generated by OpenCVE AI on April 17, 2026 at 14:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.9.0:*:*:*:enterprise:*:*:*

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 17.11 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that, under certain conditions, could have allowed Developer-role users with insufficient privileges to make unauthorized modifications to protected Conan packages.
Title Authentication Bypass Using an Alternate Path or Channel in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-288
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-26T15:39:03.951Z

Reserved: 2026-02-01T18:33:18.805Z

Link: CVE-2026-1747

cve-icon Vulnrichment

Updated: 2026-02-26T15:38:37.628Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T21:16:36.993

Modified: 2026-02-28T01:05:55.340

Link: CVE-2026-1747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses