Improper access control in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2026-6063
Published: May 18, 2026
Vulnerability identifier: #VU131684
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-6063
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GitLab, Inc
Affected software:
Gitlab Community Edition
GitLab Enterprise Edition
Gitlab Community Edition
GitLab Enterprise Edition
Detailed vulnerability description
The vulnerability allows a remote user to remove code owner approval rules from merge requests.
The vulnerability exists due to improper access control in code owner approval rules when handling merge request approval rule changes. A remote user can remove code owner approval rules to remove code owner approval rules from merge requests.
The issue occurs under certain conditions.
How to mitigate CVE-2026-6063
Install security update from vendor's website.