GitLab Enterprise Edition suffered an incorrect authorization bug that, under specific conditions, would allow an authenticated user who held the Security Manager role to configure project security settings even when the feature was intended to be disabled. This flaw permits users to alter security configurations—such as roles, policies, or scanning settings—potentially weakening the overall security posture or bypassing intended controls. The impact is limited to the scope of configuration changes; it does not provide remote code execution or direct data exfiltration, but it can enable further privilege escalation or compromise within the organization.

The affected product is GitLab Enterprise Edition. All releases from version 13.9 up to but not including 18.10.8, from 18.11 up to but not including 18.11.5, and from 19.0 up to but not including 19.0.2 are vulnerable. Upgrading to 18.10.8, 18.11.5, or 19.0.2 or later resolves the issue.

With a CVSS score of 4.3 the vulnerability is considered moderate, and its EPSS score is not available, indicating that current exploitation likelihood is uncertain. The flaw is not listed in the CISA KEV catalog, and no public exploit is reported. Attackers need authenticated access as a Security Manager or equivalent role. Because the vulnerability requires specific internal configuration states, the attack vector is inferred to be an internal one, likely requiring an insider or compromised credentials. While it does not directly crash or compromise the system, it can facilitate broader unauthorized actions by others if enabled within the organization.