Missing Authorization in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2026-2900

Detailed vulnerability description

The vulnerability allows a remote user to modify or delete project approval rules.

The vulnerability exists due to missing authorization checks in GraphQL approval rule mutations when instance-level approval rule editing prevention is enabled. A remote privileged user can modify or delete project approval rules to modify or delete project approval rules.

The issue occurs only when instance-level approval rule editing prevention is enabled.

How to mitigate CVE-2026-2900

Sources

• https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-3-released/