SB20260528265 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

Description

This security bulletin contains information about 6 vulnerabilities.

1) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-4868)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper user identity resolution when triggering Duo AI workflow runners. A remote user can cause specific Duo AI workflows to run under another user’s identity.

2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-1402)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation in Wiki. A remote user can cause a denial of service condition on the target system.

3) Incorrect authorization (CVE-ID: CVE-2026-6713)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to incorrect authorization checks in GraphQL WorkItem API. A remote attacker can enumerate private projects.

4) Missing Authorization (CVE-ID: CVE-2026-5296)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper authorization in Duo Workflows API. A remote user can bypass flow restrictions under certain conditions.

5) Missing Authorization (CVE-ID: CVE-2026-2601)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to improper authorization checks in Operations. A remote user can access sensitive deployment data on projects.

6) Use of Incorrectly-Resolved Name or Reference (CVE-ID: CVE-2026-8716)

CWE-ID: CWE-706 - Use of Incorrectly-Resolved Name or Reference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to incorrect name resolution in Pipelines. A remote user can access CI data from a different ref type than intended.

Remediation

Install update from vendor's website.

References

• https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-1-released/