Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.
Published: 2026-06-25
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab CE and EE suffered from an authorization flaw that allowed an authenticated user with Reporter-level group permissions to view package metadata from projects where the Package Registry feature was disabled. This is a misuse of access control and can expose metadata that is not intended to be publicly visible, potentially aiding attackers in gathering information about project contents. The weakness corresponds to CWE‑863: Improper Authorization.

Affected Systems

All GitLab CE/EEs from versions 13.6 up to but not including 18.11.6, 19.0.0 up to but not including 19.0.3, and 19.1.0 up to but not including 19.1.1 are vulnerable. These are all supported GitLab releases listed under the GitLab:GitLab product family.

Risk and Exploitability

The CVSS base score of 4.3 indicates a medium impact. An attacker needs to be authenticated and possess at least Reporter privileges in a group that has a project with the Package Registry disabled, which limits the exploitation surface compared with higher‑privilege attacks. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low to moderate likelihood of exploitation at present. The most likely attack vector is an internal or partially privileged user exploiting the access check to gather metadata information.

Generated by OpenCVE AI on June 25, 2026 at 06:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by upgrading to GitLab version 18.11.6, 19.0.3, 19.1.1 or later.
  • Re‑evaluate Reporter permissions in groups that have projects with a disabled Package Registry and remove Reporter or more restrictive roles where appropriate.
  • Regularly audit group and project access logs to detect unauthorized metadata access attempts and adjust group policies accordingly.

Generated by OpenCVE AI on June 25, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-25T04:34:24.040Z

Reserved: 2026-04-08T13:34:11.540Z

Link: CVE-2026-5796

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:45:05Z

Weaknesses