CVE-2026-6063 - Vulnerability Details

- Authorization Bypass Through User-Controlled Key in GitLab

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.

Published: 2026-05-14

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

GitLab Enterprise Edition versions before 18.9.7, 18.10.6, and 18.11.3 contain an access control flaw that lets an authenticated user with developer privileges delete the code owner approval rules on a merge request. Removing these rules removes a mandatory review step, allowing developers to merge changes without the required oversight. The weakness is a classic authorization bypass (CWE‑639) and can undermine governance and compliance processes within the software delivery pipeline.

Affected Systems

This issue affects GitLab Enterprise Edition from version 11.10 up through versions prior to 18.9.7, prior to 18.10.6, and prior to 18.11.3. The only affected product line is GitLab EE, with the specifications given by the vendor. All other GitLab products or community editions are not impacted.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate impact, and no EPSS score is available, which means the public exploitation likelihood cannot be quantified precisely. The vulnerability is not listed in CISA KEV, suggesting it has not been widely exploited. An attacker must already be authenticated with developer role access, so the attack vector is internal or authenticated. Once the rule is removed, the developer can merge code without required approvals, potentially injecting unreviewed changes into the repository. Given the moderate severity and the requirement for prior access, the overall risk is moderate but should be mitigated promptly to preserve code quality and compliance.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GitLab

unaffected

Version	Status	Constraints
`11.10`	affected	< 18.9.7
`18.10`	affected	< 18.10.6
`18.11`	affected	< 18.11.3

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

No data.

Vendor Product Confidence Versions

Gitlab

100%

Version	Status	Scheme	Platform
`[11.10,18.9.7)`	affected	generic	—
`[18.10,18.10.6)`	affected	generic	—
`[18.11,18.11.3)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

Upgrade GitLab EE to version 18.9.7, 18.10.6, or 18.11.3 or later.
If upgrading is not immediately possible, restrict the developer role or enforce mandatory approval rules through GitLab’s merge request settings.
Verify team permissions to ensure that only trusted users hold developer level access and consider auditing merge request approvals regularly.

Generated by OpenCVE AI on May 14, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/
https://gitlab.com/gitlab-org/gitlab/-/work_items/596332
https://hackerone.com/reports/3649087

History

Sat, 16 May 2026 03:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

Thu, 14 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.
Title		Authorization Bypass Through User-Controlled Key in GitLab
First Time appeared		Gitlab Gitlab gitlab
Weaknesses		CWE-639
CPEs		cpe:2.3:a:gitlab:gitlab::::::::
Vendors & Products		Gitlab Gitlab gitlab
References		https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/ https://gitlab.com/gitlab-org/gitlab/-/work_items/596332 https://hackerone.com/reports/3649087
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Gitlab Gitlab

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2026-05-14T05:34:12.358Z

Updated: 2026-05-14T13:21:53.278Z

Reserved: 2026-04-10T12:33:39.407Z

Link: CVE-2026-6063

Vulnrichment

Updated: 2026-05-14T13:21:49.048Z

NVD

Status : Analyzed

Published: 2026-05-14T06:16:24.307

Modified: 2026-05-16T03:34:11.930

Link: CVE-2026-6063

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T07:45:15Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object