Description
GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Modification of Protected Environment Settings
Action: Immediate Patch
AI Analysis

Impact

GitLab Enterprise Edition contains a flaw that allows an authenticated user with developer‑level permissions to change the settings of a protected deployment environment via the API. The improper authorization check permits the user to bypass the intended restriction, potentially enabling the deployment of code to environments that should only be accessed by higher‑privileged roles. The weakness is a classic checks‑before‑use error (CWE‑863). While it does not directly execute arbitrary code, the ability to reconfigure protect‑ed pipelines can lead to privilege escalation and unauthorized application deployments, harming confidentiality, integrity, and availability of the affected services.

Affected Systems

All GitLab Enterprise Edition installations from version 11.3 up through 18.8.8, 18.9.4, and 18.10.2 are impacted. The issue has been fixed starting with GitLab 18.8.9, 18.9.5, and 18.10.3 and newer releases. Any instance running an affected version should be upgraded to a patched release to eliminate the vulnerability.

Risk and Exploitability

The CVSS base score of 4.3 indicates a moderate risk, and the vulnerability is not listed in the CISA KEV catalog. EPSS data is unavailable, but the attack requires an authenticated session with a developer role and access to the project’s API. Accordingly, the exploit is likely to be limited to users who already have legitimate access, but a malicious developer can misconfigure a protected environment, causing unintended deployments or environment mutilation. The vulnerability is therefore a medium‑risk concern that should be addressed promptly.

Generated by OpenCVE AI on April 8, 2026 at 23:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab Enterprise Edition to version 18.8.9, 18.9.5, 18.10.3, or newer to apply the vendor patch.

Generated by OpenCVE AI on April 8, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T22:25:52.858Z

Reserved: 2026-02-02T09:33:10.110Z

Link: CVE-2026-1752

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T23:16:58.077

Modified: 2026-04-08T23:16:58.077

Link: CVE-2026-1752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:37Z

Weaknesses