Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements.
Published: 2026-06-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab allows an authenticated developer to modify hidden merge requests due to incorrect authorization enforcement, exposing internal project changes to developers who should not have that capability. The vulnerability is an access-control weakness (CWE‑863) and can compromise the integrity of project histories. It does not directly expose sensitive data but affects project integrity and trust.

Affected Systems

GitLab, including both Community Edition and Enterprise Edition, for all releases from 15.10 through 18.10.7, 18.11 through 18.11.4, and 19.0 through 19.0.1. Versions 18.10.8, 18.11.5, 19.0.2 and later contain the fix.

Risk and Exploitability

With a CVSS score of 5.4 the risk is moderate. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting that widespread exploitation is unlikely. The attack requires an authenticated user with developer permissions and no external network interaction, so internal users could abuse it if visibility controls are misconfigured.

Generated by OpenCVE AI on June 11, 2026 at 12:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.8, 18.11.5, 19.0.2 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.10.8, 18.11.5, 19.0.2 or newer
  • Ensure that merge request visibility rules are properly configured and that hidden merge requests are truly inaccessible to developers
  • Monitor merge request changes to detect unauthorized modifications and review audit logs for suspicious activity

Generated by OpenCVE AI on June 11, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-11T12:30:06.368Z

Reserved: 2026-04-14T11:04:04.629Z

Link: CVE-2026-6269

cve-icon Vulnrichment

Updated: 2026-06-11T12:30:00.733Z

cve-icon NVD

Status : Received

Published: 2026-06-11T12:16:32.090

Modified: 2026-06-11T12:16:32.090

Link: CVE-2026-6269

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T12:30:14Z

Weaknesses