Description
GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records.
Published: 2026-05-14
Score: 2.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab Enterprise Edition contains a flaw that permits an authenticated user to circumvent merge request approval rules by improperly removing orphaned policy records. The vulnerability stems from missing authorization checks, classified as CWE‑862, and can allow a user whose permissions normally would be restricted from approving or reviewing a merge request to modify or delete approval records, effectively lifting required safeguards. The impact is limited to the integrity of the approval tracking process, exposing the project to unauthorized changes without necessary review.

Affected Systems

GitLab version 15.7 through 18.9.6, 18.10.0 through 18.10.5, and 18.11.0 through 18.11.2 are affected. Versions 18.9.7, 18.10.6, 18.11.3 and later are not susceptible.

Risk and Exploitability

The CVSS score of 2.6 indicates low severity. EPSS is not available, so current exploitation likelihood cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploits at this time. The likely attack vector requires an authenticated session, so only users with access credentials can exploit it. In the absence of a public exploit, the risk mainly depends on internal threat actors with legitimate access.

Generated by OpenCVE AI on May 14, 2026 at 07:52 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.9.7, 18.10.6, 18.11.3 or later
  • Verify that merge request approval policies remain intact and check for orphaned policy records
  • Review and tighten user permissions to limit the ability to modify approval records, enforcing least privilege

Generated by OpenCVE AI on May 14, 2026 at 07:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records.
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:14:42.194Z

Reserved: 2026-04-22T19:33:27.795Z

Link: CVE-2026-6883

cve-icon Vulnrichment

Updated: 2026-05-14T13:14:38.042Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:25.117

Modified: 2026-05-16T03:33:30.927

Link: CVE-2026-6883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:00:11Z

Weaknesses