Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.
Published: 2026-06-11
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab has a flaw that lets an authenticated user with developer role hide modifications from merge request diff views by exploiting how file names are processed. This does not provide code execution or system compromise but diminishes transparency of code changes, potentially enabling covert manipulation of project history and confusing reviewers. The weakness is classified as CWE‑639, an authorization bypass.

Affected Systems

All GitLab Community and Enterprise editions from 15.9 up to, but not including, 18.10.8; from 18.11 up to, but not including, 18.11.5; and from 19.0 up to, but not including, 19.0.2 are impacted. Users should verify that they are running a patched version of these products.

Risk and Exploitability

The CVSS score of 3.7 indicates a low level of overall risk. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attacker must already be authenticating as a developer in a repository; therefore the attack vector is internal and requires appropriate repository permissions. Once the conditions are met, the developer can hide specific changes but cannot alter or delete code. The impact is limited to the visibility of changes, and it does not provide persistence or broader compromise. The unchanged ID encourages early remediation rather than waiting for a major vulnerability spike.

Generated by OpenCVE AI on June 11, 2026 at 12:50 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.8, 18.11.5, 19.0.2 or above.

OpenCVE Recommended Actions

  • Upgrade to the vendor‑patched versions 18.10.8, 18.11.5, 19.0.2, or later.
  • Restrict developer‑role permissions to trusted users only and enforce least‑privilege principles for repository access.
  • Enable audit logging for merge requests and manually review diff views to detect any hidden or missing file changes.

Generated by OpenCVE AI on June 11, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.
Title Authorization Bypass Through User-Controlled Key in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-639
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-11T12:33:23.414Z

Reserved: 2026-04-24T18:33:29.831Z

Link: CVE-2026-6976

cve-icon Vulnrichment

Updated: 2026-06-11T12:33:20.303Z

cve-icon NVD

Status : Received

Published: 2026-06-11T12:16:32.467

Modified: 2026-06-11T12:16:32.467

Link: CVE-2026-6976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T13:00:15Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key