Description
GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to improper authorization checks.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab Enterprise Edition possesses an improper authorization check that can allow an authenticated user with developer role permissions to view sensitive deployment data on projects. This flaw does not give remote code execution or denial of service but permits unauthorized disclosure of deployment information, compromising confidentiality of project infrastructure settings or configuration details.

Affected Systems

GitLab EE versions before 18.10.7, before 18.11.4, and before 19.0.1 are affected. The vulnerability applies to all releases from 11.5 to these cut‑off points where the authorization logic is deficient.

Risk and Exploitability

The CVSS score is 4.3, indicating low to moderate severity. EPSS is currently unavailable, so the likelihood of exploitation in the wild cannot be quantified but is presumably low without public exploitation data. The vulnerability is not listed in CISA KEV. An attacker would need to be an authenticated developer on a GitLab instance to benefit from the flaw, suggesting the attack vector is authenticated and role‑based.

Generated by OpenCVE AI on May 27, 2026 at 21:00 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.7, 18.11.4, 19.0.1 or above.

OpenCVE Recommended Actions

  • Upgrade the GitLab instance to version 18.10.7, 18.11.4, or 19.0.1 (or any newer release) to apply the vendor‑published fix.
  • Deploy the upgrade to all affected GitLab Enterprise Edition instances and ensure the new version is running across the environment.
  • Limit developer role permissions so that developers cannot access deployment data until the patch has been implemented, enforcing least‑privilege authorization controls.

Generated by OpenCVE AI on May 27, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:19.0.0:*:*:*:enterprise:*:*:*

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to improper authorization checks.
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-27T19:04:49.153Z

Reserved: 2026-02-16T21:04:09.684Z

Link: CVE-2026-2601

cve-icon Vulnrichment

Updated: 2026-05-27T19:04:11.748Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T19:16:16.000

Modified: 2026-05-27T20:53:14.787

Link: CVE-2026-2601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T04:15:06Z

Weaknesses