Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.
Published: 2026-04-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Virtual Registries
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from GitLab’s insufficient session expiration, allowing an attacker to use invalidated or incorrectly scoped credentials to log in to Virtual Registries. This flaw enables unauthorized access to registry contents and potentially exposes sensitive artifacts. The weakness follows CWE‑613, indicating a failure to properly enforce session lifetime, thus compromising the confidentiality of registry data.

Affected Systems

GitLab Community and Enterprise Editions are affected. All releases from 18.2 through 18.9.5, 18.10 through 18.10.3, and 18.11 through 18.11.0 are vulnerable. These are the specific version ranges that must be checked before upgrading.

Risk and Exploitability

The CVSS score of 5.4 places this flaw in the moderate category, and the EPSS score is not available, suggesting no current public exploitation reports. It is not listed in the CISA KEV catalog. The most plausible attack path requires an attacker to obtain or compromise a user’s session token that has not yet expired; the flaw then allows that token to be reused, meaning that the exploit can be performed as a credential reuse attack. Because there is no remote code execution component, the impact is limited to unauthorized registry access, but the potential damage to data integrity and confidentiality is significant.

Generated by OpenCVE AI on April 22, 2026 at 18:25 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.6, 10.10.4, 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.9.6, 18.10.4, or 18.11.1 or later for both CE and EE
  • Ensure that session expiration settings are correctly configured and enforced in the GitLab instance
  • Review audit logs for unexpected or repeated access to Virtual Registries and consider additional monitoring or access controls

Generated by OpenCVE AI on April 22, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:enterprise:*:*:*

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.
Title Insufficient Session Expiration in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-613
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-22T17:51:09.883Z

Reserved: 2026-04-17T13:33:58.292Z

Link: CVE-2026-6515

cve-icon Vulnrichment

Updated: 2026-04-22T17:51:00.525Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:44.923

Modified: 2026-04-23T20:18:22.383

Link: CVE-2026-6515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses