The vulnerability is a missing authorization check in the GitLab Enterprise Edition that allows an authenticated user with Maintainer permissions to modify or delete project approval rules when instance‑level approval rule editing prevention is enabled. This flaw can be used to alter project governance parameters, potentially undermining compliance requirements or escalating privileges within the repository environment. It is classified as CWE‑862, an authorization failure weakness.

Affected vendors and products include GitLab: GitLab, specifically all Enterprise Edition instances from version 16.10 up to, but not including, 18.9.7, 18.10.6, and 18.11.3. The vulnerability does not impact Community Edition releases or other GitLab components, and the version bounds are clearly specified in the vendor remediation guidance.

The CVSS score of 2.7 marks the issue as low severity, and the EPSS score is not available, indicating limited publicly known exploitation data. The flaw is not listed in the CISA KEV catalog. An attacker must be authenticated and hold Maintainer rights, making the attack vector internal and requiring prior access to the GitLab instance. While the potential impact involves unauthorized project rule modifications, the low CVSS and absence of public exploits suggest a moderate risk profile that still warrants timely remediation.