Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access control.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab CE/EE suffered an access‑control flaw where the system performed the access‑control check only after the package asset was fetched. An authenticated user with a developer role could therefore read or modify protected package content, effectively bypassing the protection rules assigned to those packages. The weakness is a CWE‑1280: Inadequate Access Control. This allows the developer to gain privileges beyond the intended protection boundaries, risking confidentiality and integrity of package artifacts but not executing arbitrary code or causing denial of service.

Affected Systems

All GitLab Continuous Integration and package hosting versions from 18.3 up to, but not including, 18.9.7, from 18.10 up to, but not including, 18.10.6, and from 18.11 up to, but not including, 18.11.3. Both Community Edition and Enterprise Edition are affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact. EPSS is not available, so exploitation probability is unclear, and the vulnerability is not listed as a known exploited vulnerability in CISA's KEV catalog. The vulnerability can be exploited only by authenticated users who have a developer role in a project, making the attack vector internal to the organization. Once authenticated, the attacker can read or modify protected package payloads as if having higher privileges, potentially allowing further compromise of downstream systems that consume those packages.

Generated by OpenCVE AI on May 14, 2026 at 07:25 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab CE/EE to version 18.9.7, 18.10.6, 18.11.3 or newer
  • Re‑apply any package protection rules after the upgrade to ensure correct enforcement
  • Restrict developer‑role access to only the projects that truly require it, and audit package protection configurations for the rest

Generated by OpenCVE AI on May 14, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access control.
Title Access Control Check Implemented After Asset is Accessed in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1280
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:06:45.555Z

Reserved: 2026-03-05T17:33:14.076Z

Link: CVE-2026-3607

cve-icon Vulnrichment

Updated: 2026-05-14T13:06:41.232Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:22.790

Modified: 2026-05-15T19:57:36.690

Link: CVE-2026-3607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T10:30:05Z

Weaknesses