Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.
Published: 2026-05-27
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab Community Edition and Enterprise Edition versions earlier than 18.10.7, 18.11.4, or 19.0.1 contain an incorrect authorization check that could allow an unauthorized user to enumerate private projects. This weakness, classified as CWE‑863, permits the unintended disclosure of project metadata and the existence of private resources, potentially aiding an attacker by revealing the organization’s repository landscape for future targeting.

Affected Systems

All GitLab CE/EE installations running a version older than 18.10.7, 18.11.4, or 19.0.1 are affected, including any deployment that has not yet been updated to the patched releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but the EPSS score is not available, so current exploitation likelihood cannot be accurately assessed. The vulnerability is not listed in CISA KEV. Attackers who can reach the GitLab instance over the network do not require special credentials; they can trigger the flawed authorization check by sending crafted requests, leading to the enumeration of private projects.

Generated by OpenCVE AI on May 27, 2026 at 19:12 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.7, 18.11.4, 19.0.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab CE/EE to at least version 18.10.7, 18.11.4, or 19.0.1 or later.
  • Re‑verify that all project visibility configurations remain correctly applied, ensuring private projects are hidden from unauthenticated or unprivileged users.
  • Monitor GitLab access logs for repeated enumeration attempts and apply rate limiting or intrusion detection where possible.

Generated by OpenCVE AI on May 27, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-27T19:22:57.385Z

Reserved: 2026-04-20T18:33:22.687Z

Link: CVE-2026-6713

cve-icon Vulnrichment

Updated: 2026-05-27T19:22:28.083Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-27T19:16:24.640

Modified: 2026-05-27T19:32:17.897

Link: CVE-2026-6713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:15:26Z

Weaknesses