Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to improper authorization checks.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab contains an improper authorization check that permits any authenticated user with a developer role to upload PyPI packages that should be protected by package protection rules. This flaw could enable the injection of malicious or maliciously modified packages into the GitLab repository, potentially exposing downstream projects to compromised dependencies and the risk of supply‑chain attacks.

Affected Systems

All GitLab Community Edition and Enterprise Edition releases from version 17.6 up to, but not including, 18.9.7, from 18.10.0 up to, but not including, 18.10.6, and from 18.11.0 up to, but not including, 18.11.3 are vulnerable. The vulnerability is fixed in GitLab 18.9.7, 18.10.6, and 18.11.3 and later releases.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers require legitimate credentials of a developer‑role user and access to the project where package uploads are permitted. While the flaw does not grant arbitrary code execution, it does enable the deployment of untrusted packages that may be pulled by other projects, thereby creating a high‑risk vector for supply‑chain compromise.

Generated by OpenCVE AI on May 14, 2026 at 07:24 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab 18.9.7, 18.10.6, 18.11.3, or a later release that includes the fix.
  • If an upgrade cannot be performed immediately, disallow developer‑role users from uploading to protected PyPI repositories or temporarily disable PyPI package uploads altogether.
  • Continuously scan repository contents for unauthorized or suspicious PyPI packages and implement audit logging to detect anomalous upload activity.

Generated by OpenCVE AI on May 14, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to improper authorization checks.
Title Authorization Bypass Through User-Controlled Key in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-639
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:07:50.839Z

Reserved: 2026-02-23T20:03:47.655Z

Link: CVE-2026-3073

cve-icon Vulnrichment

Updated: 2026-05-14T13:07:45.929Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:22.240

Modified: 2026-05-16T03:36:17.793

Link: CVE-2026-3073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:00:10Z

Weaknesses