GitLab GitLab GitLab Version Control Server

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any GitLab product.

RSS Feeds for GitLab security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in GitLab products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by GitLab Sorted by Most Security Vulnerabilities since 2018

GitLab1374 vulnerabilities
Version Control Server and CI/CD Platform

GitLab Gitaly3 vulnerabilities

GitLab Runner2 vulnerabilities

GitLab 1 vulnerability

GitLab Ai Gateway1 vulnerability

GitLab Dast Api Scanner1 vulnerability

Gitlab Runner1 vulnerability

Gitlab Vscode Extension1 vulnerability

GitLab Language Server1 vulnerability

GitLab Omnibus1 vulnerability

Known Exploited GitLab Vulnerabilities

The following GitLab vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
GitLab Server-Side Request Forgery (SSRF) Vulnerability GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled.
CVE-2021-22175 Exploit Probability: 53.4%
February 18, 2026
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API.
CVE-2021-39935 Exploit Probability: 35.6%
February 3, 2026
GitLab Community and Enterprise Editions Improper Access Control Vulnerability GitLab Community and Enterprise Editions contain an improper access control vulnerability. This allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover.
CVE-2023-7028 Exploit Probability: 95.0%
May 1, 2024

The vulnerability CVE-2023-7028: GitLab Community and Enterprise Editions Improper Access Control Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. 2 known exploited GitLab vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 152 vulnerabilities in GitLab with an average score of 5.7 out of ten. Last year, in 2025 GitLab had 162 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in GitLab in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.35




Year Vulnerabilities Average Score
2026 152 5.74
2025 162 6.09
2024 147 6.35
2023 183 5.60
2022 152 5.75
2021 157 5.44
2020 237 6.15
2019 165 6.33
2018 33 6.71

It may take a day or so for new GitLab vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent GitLab Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-12506 Jul 08, 2026
GitLab Repo Creation Web-Download Mismatch via Improper Git Ref (18.11.7) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.
GitLab
CVE-2026-6352 Jul 08, 2026
GitLab EE Auth Bypass: Auditors can alter compliance records via GraphQL GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper authorization on certain GraphQL operations.
GitLab
CVE-2026-6896 Jul 08, 2026
GitLab EE: Arbitrary Script Exec via XSS in EE <18.11.7,<19.0.4,<19.1.2 GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary scripts in another user's browser session due to improper sanitization of user-supplied input.
GitLab
CVE-2026-7492 Jul 08, 2026
GitLab <=18.11.6 Unauth Detect Private Projects via Cross-Project Ref check GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on cross-project reference pages.
GitLab
CVE-2026-8472 Jul 08, 2026
Auth Bypass: GitLab EE 18.9-18.11.7/19.0-19.0.4/19.1-19.1.2 Reading Metadata GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to missing authorization checks.
GitLab
CVE-2026-11827 Jul 08, 2026
GitLab EE Auth Bypass: Maintainer Can Read Stored Credentials (v<18.11.7, 19.0<19.0.4, 19.1<19.1.2) GitLab has remediated an issue in GitLab EE affecting all versions from 9.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to obtain another user's stored credentials due to improper authorization controls.
GitLab
CVE-2026-13151 Jul 08, 2026
Auth Bypass Enables Priv Esc in GitLab EE 16.1018.11.7 / 19.019.0.4 / 19.119.1.2 GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to modify group-level settings beyond their intended permissions due to improper authorization controls.
GitLab
CVE-2026-13320 Jul 08, 2026
GitLab CE/EE XSS: Authenticated exec via improper sanitization (18.11.7, 19.1.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to execute arbitrary scripts in another user's browser session due to improper sanitization of user-supplied input.
GitLab
CVE-2026-10086 Jun 25, 2026
GitLab EE 18.11.6/19.0.3/19.1.1: Dev role XSS via code exec GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of another user's session, due to improper sanitization of user-supplied input.
GitLab
CVE-2026-0934 Jun 25, 2026
GitLab EE: Auth Priv Access to Env Configs (v17.9-18.11,19.0-19.0,19.1-19.1) GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.
GitLab
CVE-2026-1606 Jun 25, 2026
GitLab CE/EE Snippet Escalation (18.11.5, 19.0.2, 19.1.0) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to conceal content within a Snippet due to improper input validation.
GitLab
CVE-2026-2238 Jun 25, 2026
GitLab CE/EE <18.11.6/19.0.3/19.1.1 Unauthorized Confidential Issue Ref Access GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to view confidential issue references on public projects due to improper authorization checks.
GitLab
CVE-2026-3176 Jun 25, 2026
GitLab EE 18.618.11.5/19.0/19.1 AuthZ Bypass (Limited Auth) GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with limited permissions to access project information due to insufficient authorization checks.
GitLab
CVE-2026-5309 Jun 25, 2026
Unauth Access to GitLab EE Virtual Registry Cleanup Policy (18.11.6, 19.1.1) GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to read or modify another group's virtual registry cleanup policy settings without authorization.
GitLab
CVE-2026-5796 Jun 25, 2026
GitLab CE/EE Pkg Reg Metadata View Bypass (13.6-18.11.5,19.0-19.0.2,19.1-19.1.0) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.
GitLab
CVE-2026-5952 Jun 25, 2026
GitLab <18.11.6, <19.0.3, <19.1.1: Dev Auth Bypass Pkg Protect, Overwrite Mvn Meta GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite protected Maven package metadata due to incorrect authorization checks.
GitLab
CVE-2026-8330 Jun 25, 2026
GitLab CI/CD Log Disclosure via API (before 18.11.6, <19.0.3, <19.1.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed sensitive information to be written to application logs due to insufficient filtering in a CI/CD API endpoint.
GitLab
CVE-2026-10712 Jun 25, 2026
GitLab CE/EE XSS via Improper Path Validation (18.11.5/19.0.2/19.1.0) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.
GitLab
CVE-2026-11379 Jun 25, 2026
GitLab EE Auth Bypass in DAST Site Profile (<18.11.6, <19.0.3, <19.1.1) GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1 in which incorrect authorization in DAST site profile management could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions.
GitLab
CVE-2026-12053 Jun 25, 2026
GitLab EE <19.1.1 Improper Output Filtering in Duo Workflows Allows Sensitive Data Leak GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain conditions could have allowed a user to access sensitive information that had already been committed to a project, due to insufficient output filtering in Duo Workflows.
GitLab
CVE-2026-12635 Jun 25, 2026
GitLab Mirror Sync URL Validation flaw (8.318.11.5 & 19.x before patch) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to make requests to internal network resources through mirror synchronization due to improper URL validation.
GitLab
CVE-2026-1500 Jun 11, 2026
GitLab DoS via Uncontrolled Resource Consumption on File Upload (17.1018.10.8, 18.1118.11.5, 19.019. GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to cause denial of service due to uncontrolled resource consumption when processing a specially crafted file upload.
GitLab
CVE-2026-3553 Jun 11, 2026
GitLab CE/EE <=18.10.8 Auth Bypass Exposes Issue Details GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to access confidential issue details due to incorrect authorization checks.
GitLab
CVE-2026-6269 Jun 11, 2026
GitLab Auth Bypass on Hidden MRs (v15.1019.0) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements.
GitLab
CVE-2026-6277 Jun 11, 2026
Auth Bypass in GitLab EE 13.9-18.10.8,18.11-18.11.5,19.0-19.0.2 (SM Role) GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement.
GitLab
CVE-2026-6552 Jun 11, 2026
Improper Auth in GitLab EE Group SAML (v15.518.10.8, 18.1118.11.5, 19.019.0.2) Owner Takeover GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member's GitLab account due to improper authorization in the Group SAML identity management functionality.
GitLab
CVE-2026-6976 Jun 11, 2026
GitLab CE/EE v15.9-18.10.8/18.11.5/19.0-19.0.2 Auth Dev Hide MR Diff GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.
GitLab
CVE-2026-7250 Jun 11, 2026
GitLab API Middleware DoS vulnerability before v18.11.5 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsing middleware.
GitLab
CVE-2026-8589 Jun 11, 2026
GitLab EE: Unauth email addition via flawed sanitization, fixed in 19.0.2 GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper sanitization of user-supplied input in certain group setting fields.
GitLab
CVE-2026-9204 Jun 11, 2026
GitLab CE/EE 18.10-19.0: Auth File Read via Bad Sec URL Validation GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to read arbitrary files from the Gitaly server and access internal network resources during repository import, due to insufficient validation of secondary URLs.
Gitaly
CVE-2026-9694 Jun 11, 2026
Unauth GitLab Support Bot Impersonation via Service Desk Email CVE-2026-9694 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.
GitLab
CVE-2026-10087 Jun 11, 2026
GitLab EE up to 18.10.7, 18.11.4, 19.0.1 XSS via Analytics Dashboard GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard.
GitLab
CVE-2026-10733 Jun 11, 2026
GitLab CI/CD Catalog DoS via Improper Sanitization (v17.0-<18.10.8/18.11-<18.11.5/19.0-<19.0.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization.
GitLab
CVE-2026-9807 May 28, 2026
GitLab auth allows blocked PAT to access resources before 18.10.7/18.11.4/19.0.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement.
GitLab
CVE-2026-1402 May 27, 2026
GitLab 17.1-18.10.7/18.11-18.11.4/19.0-19.0.1 Authenticated DoS GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation.
GitLab
CVE-2026-2601 May 27, 2026
GitLab EE Auth Bypass: Dev Access to Deployment Data (<18.10.7, <18.11.4, <19.0.1) GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to improper authorization checks.
GitLab
CVE-2026-4868 May 27, 2026
GitLab EE <18.10.7 / <18.11.4 / <19.0.1: Auth User Can Run Duo AI as Another User GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to improper user identity resolution when triggering Duo AI workflow runners.
GitLab
CVE-2026-5296 May 27, 2026
GitLab EE Flow Bypass 18.718.10.7/18.1118.11.4/19.019.0.1 GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.
GitLab
CVE-2026-6713 May 27, 2026
GitLab CE/EE unauth project enumeration via mis-auth (pre-18.10.7/18.11.4/19.0.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.
GitLab
CVE-2026-8716 May 27, 2026
GitLab CE/EE 18.10.7/18.11.4/19.0.1 Authenticated CI Data Leak GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended.
GitLab
CVE-2025-12669 May 14, 2026
GitLab CE/EE HTML/JS injection via email notifications (15.11-18.11.X) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization.
GitLab
CVE-2025-13874 May 14, 2026
GitLab CE/EE <18.9.7: Guest Auth can View Unauthorized Issues GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.
GitLab
CVE-2025-14869 May 14, 2026
GitLab API DoS via crafted payloads 18.5-18.9.7, 18.10-18.10.6, 18.11-18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints.
GitLab
CVE-2025-14870 May 14, 2026
GitLab CE/EE DoS via crafted JSON before 18.9.7, 18.10.6, 18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation.
GitLab
CVE-2026-1184 May 14, 2026
GitLab EE <18.9.7 -> DOS via Crafted File Upload GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.
GitLab
CVE-2026-1322 May 14, 2026
GitLab AuthZ:OAuth Users Create Issues (v16<18.9.7,18.10<18.10.6,18.11<18.11.3) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a read_api scoped OAuth application to create issues and add comments to issues in private projects due to improper authorization.
GitLab
CVE-2026-1338 May 14, 2026
Auth-Role Dev Tag Delete Flaw, GitLab <=18.9.7,18.10<=18.10.6,18.11<=18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks.
GitLab
CVE-2026-1659 May 14, 2026
GitLab CE/EE DoS via Input Validation, vulnerable before 18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted requests due to insufficient input validation.
GitLab
CVE-2026-2900 May 14, 2026
GitLab EE Auth Bypass: Approval Rules (16.1018.9.6, 18.1018.10.5, 18.1118.11.2) GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks.
GitLab
CVE-2026-3073 May 14, 2026
GitLab CE/EE PyPI Upload Auth Bypass before 18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to improper authorization checks.
GitLab
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.