Description
GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Unauthorized Access to Protected Environment Settings
Action: Apply Patch
AI Analysis

Impact

An improper authorization check within GitLab EE’s API allows a user with a developer role to modify protected environment settings that should be restricted to higher-privilege accounts. This flaw can lead to deployment pipeline alterations or the introduction of malicious configuration changes, potentially impacting the confidentiality, integrity, and availability of applications deployed through GitLab’s CI/CD. The weakness is cataloged as CWE‑863, indicating a failure to enforce least privilege.

Affected Systems

GitLab Enterprise Edition versions from 11.3 up to, but not including, 18.8.9, from 18.9 up to, but not including, 18.9.5, and from 18.10 up to, but not including, 18.10.3 are affected. Users of these releases must verify their version and whether it falls into the vulnerable range.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, reflecting moderate impact when an authenticated developer can influence protected environments. The EPSS score is below 1 %, indicating a low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. Attackers must be authenticated and possess developer-level permissions; thus the path is limited to legitimate users who may have more access than intended.

Generated by OpenCVE AI on April 14, 2026 at 20:23 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab Enterprise Edition to version 18.8.9, 18.9.5, 18.10.3, or any later release.

Generated by OpenCVE AI on April 14, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-09T14:58:43.291Z

Reserved: 2026-02-02T09:33:10.110Z

Link: CVE-2026-1752

cve-icon Vulnrichment

Updated: 2026-04-09T14:58:39.334Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T23:16:58.077

Modified: 2026-04-14T17:02:07.153

Link: CVE-2026-1752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses