Description
A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions.
Published: 2026-02-02
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of merge request approval rules
Action: Immediate Patch
AI Analysis

Impact

GitLab versions 16.8 through 18.4.9 expose a missing authorization check that permits an attacker with access to the web interface or API to modify merge request approval rules. This flaw compromises the integrity of repo governance by allowing approval rules to be altered without proper permission, potentially enabling unauthorized merges or bypassing required reviews.

Affected Systems

The vulnerability affects GitLab Community and Enterprise editions, all versions from 16.8 up to but not including 18.5.0.

Risk and Exploitability

The flaw carries a CVSS v3.1 score of 3.1, indicating moderate impact. EPSS indicates a very low exploitation probability (<1%) and the issue is not in the CISA KEV catalog. Exploitation likely requires authenticated access via the web UI or API, but the missing authorization gate allows any user with basic access to create or edit approval rules. The risk is confined to authorization bypass rather than remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 00:40 UTC.

Remediation

Vendor Solution

Upgrade to version 18.5.0 or above

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.5.0 or later, which removes the missing authorization check.
  • If upgrading is delayed, restrict the 'Merge Request Approvals' scope to trusted users only by adjusting permissions or using protected branches.
  • Apply audit logging to capture any changes to approval rules so discrepancies can be identified promptly.

Generated by OpenCVE AI on April 18, 2026 at 00:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Mon, 02 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions.
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-02T13:24:44.683Z

Reserved: 2026-02-02T09:04:33.310Z

Link: CVE-2026-1751

cve-icon Vulnrichment

Updated: 2026-02-02T13:24:30.874Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T10:16:06.693

Modified: 2026-02-04T14:34:06.983

Link: CVE-2026-1751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses