Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite protected Maven package metadata due to incorrect authorization checks.
Published: 2026-06-25
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect authorization check in GitLab Community Edition and Enterprise Edition permits an authenticated user with developer permissions to bypass package protection rules and overwrite protected Maven package metadata. This flaw could allow the attacker to alter package metadata, compromising the integrity and authenticity of artifacts distributed through the repository. The weakness is classified as CWE‑863: Improper Authorization.

Affected Systems

Affected products include GitLab Community Edition and GitLab Enterprise Edition versions 17.11 up to, but not including, 18.11.6; 19.0 up to 19.0.3; and 19.1 up to 19.1.1. The vulnerability applies to all GitLab instances running these versions, regardless of deployment environment, as long as package management services are enabled and Maven packages are protected.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity, and no EPSS score is available, suggesting limited public exploitation evidence. The vulnerability is not listed in CISA KEV, indicating no known high‑profile incidents. However, any user with developer-level access can exploit the flaw, and developers are often granted to many contributors, making it a plausible risk when broad developer permissions exist. The likely attack vector is authenticated developer actions within GitLab that involve uploading or managing package metadata.

Generated by OpenCVE AI on June 25, 2026 at 07:23 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.11.6 or later, 19.0.3 or later, or 19.1.1 or later to address the incorrect authorization check.
  • Adjust repository permissions to restrict overwrite of protected package metadata to maintainers or administrators only, ensuring developers cannot modify package metadata.
  • Disable or review any custom authorization scripts or third‑party plugins that might interfere with the built‑in GitLab package protection.

Generated by OpenCVE AI on June 25, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite protected Maven package metadata due to incorrect authorization checks.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-25T04:34:14.043Z

Reserved: 2026-04-09T07:04:17.666Z

Link: CVE-2026-5952

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:15:05Z

Weaknesses