CVE-2026-5296 - Vulnerability Details

- Missing Authorization in GitLab

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.

Published: 2026-05-27

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an authorization bypass in GitLab Enterprise Edition that may allow an authenticated user with developer role permissions, when foundational flows are enabled at the group level, to circumvent flow restrictions under certain conditions. This flaw, identified as CWE‑862, could enable the user to perform actions beyond the intended permissions, potentially affecting configuration or deployment processes. The impact is limited to unauthorized access to group‑level flow controls rather than system‑wide compromise or data exfiltration.

Affected Systems

GitLab Enterprise Edition versions prior to 18.10.7, 18.11.4 and 19.0.1 are affected. Specifically, all releases from 18.7 through the last minor releases before the mentioned patch levels are vulnerable when foundational flows are enabled at the group level. The flaw is present in GitLab EE and not in other products.

Risk and Exploitability

With a CVSS score of 4.3, the vulnerability is considered moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The likely attack vector requires an authenticated user with developer role who can configure group settings; therefore the threat is confined to environments where such users have access. While the flaw does not enable remote code execution, it permits unauthorized manipulation of flow restrictions, which could be leveraged for privilege escalation within the project.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GitLab

unaffected

Version	Status	Constraints
`18.7`	affected	< 18.10.7
`18.11`	affected	< 18.11.4
`19.0`	affected	< 19.0.1

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:19.0.0::::enterprise:::

No data.

Vendor Product Confidence Versions

Gitlab

95%

Version	Status	Scheme	Platform
`[18.7,18.10.7)`	affected	semver	['enterprise']
`[18.11,18.11.4)`	affected	semver	['enterprise']
`[19.0,19.0.1)`	affected	semver	['enterprise']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to versions 18.10.7, 18.11.4, 19.0.1 or above.

OpenCVE Recommended Actions

Upgrade to GitLab EE version 18.10.7, 18.11.4, 19.0.1 or later.
As a temporary measure, revoke foundational flow permissions at the group level or remove developer role access until the patch is applied.
Disable foundational flows for all groups that require tighter controls until the upgrade is completed.

Generated by OpenCVE AI on May 27, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/
https://gitlab.com/gitlab-org/gitlab/-/work_items/595423
https://hackerone.com/reports/3626303

History

Wed, 27 May 2026 21:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:19.0.0::::enterprise:::

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.
Title		Missing Authorization in GitLab
First Time appeared		Gitlab Gitlab gitlab
Weaknesses		CWE-862
CPEs		cpe:2.3:a:gitlab:gitlab::::::::
Vendors & Products		Gitlab Gitlab gitlab
References		https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/ https://gitlab.com/gitlab-org/gitlab/-/work_items/595423 https://hackerone.com/reports/3626303
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Gitlab Gitlab

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2026-05-27T17:55:18.937Z

Updated: 2026-05-27T19:01:02.944Z

Reserved: 2026-04-01T00:04:42.884Z

Link: CVE-2026-5296

Vulnrichment

Updated: 2026-05-27T19:01:00.207Z

NVD

Status : Analyzed

Published: 2026-05-27T19:16:24.450

Modified: 2026-05-27T20:46:56.457

Link: CVE-2026-5296

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T04:15:06Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object