Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private projects due to incorrect authorization.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of Vulnerability Flags
Action: Patch Immediately
AI Analysis

Impact

A flaw in the authorization logic of GitLab Enterprise Edition permits an authenticated user assigned the auditor role to edit vulnerability flag data for private projects. This bypass undermines data integrity, allowing auditors to hide or mislabel vulnerabilities, which can delay remediation and distort security reporting. The issue is identified as an authorization bypass.

Affected Systems

Users running GitLab Enterprise Edition versions from 18.6 up to before 18.8.9, from 18.9 up to before 18.9.5, and from 18.10 up to before 18.10.3 are affected. The vulnerability is resolved in releases 18.8.9, 18.9.5, 18.10.3 and later.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating moderate severity. Exploitation requires an authenticated auditor with access to the private project, and no remote code execution or arbitrary data access is available. The likelihood of exploitation appears low, as reflected by a minimal probability and absence from major exploitation catalogs.

Generated by OpenCVE AI on April 14, 2026 at 21:28 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Update GitLab Enterprise Edition to version 18.8.9, 18.9.5, 18.10.3, or any later release.

Generated by OpenCVE AI on April 14, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 09 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private projects due to incorrect authorization.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-09T13:04:26.216Z

Reserved: 2026-02-17T07:34:18.595Z

Link: CVE-2026-2619

cve-icon Vulnrichment

Updated: 2026-04-09T13:04:22.725Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T23:16:58.557

Modified: 2026-04-14T16:55:10.480

Link: CVE-2026-2619

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses