An incorrect authorization check in GitLab allows a blocked Project Access Token to continue accessing private resources, effectively bypassing the intended revocation and exposing sensitive project data. The flaw permits unauthorized individuals who possess a blocked token—either through theft or misconfiguration—to gain read or write access to private repositories, compromising confidentiality of source code and potentially enabling further malicious activity. This weakness is classified as CWE-863, signifying an improper authorization mechanism.

All GitLab Community Edition and Enterprise Edition deployments from version 18.9 up to (but not including) 18.10.7, from 18.11 up to (but not including) 18.11.4, and from 19.0 up to (but not including) 19.0.1 are vulnerable. The affected product is GitLab, managed by GitLab Inc. Users running any of these releases must check their version and address the issue promptly.

With a CVSS score of 4.3, the vulnerability is considered moderate; the EPSS score is unavailable, so no assessment of current exploitation probability can be made. The vulnerability is not listed in the CISA KEV catalog, suggesting no known large-scale exploitation yet. Likely the attack requires possession of a blocked token and the ability to make API calls to the GitLab instance, making the vector remote through authenticated traffic. Successful exploitation would grant the attacker the same privileges as the token holder, effectively bypassing the blocking mechanism.