Main Vulnerability Database Vulnerabilities #VU135175

Improper access control in GitLab Enterprise Edition and Gitlab Community Edition - CVE-2026-5309

Published: June 25, 2026

Vulnerability identifier: #VU135175

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-5309

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: GitLab, Inc

Affected software:
GitLab Enterprise Edition
Gitlab Community Edition

Detailed vulnerability description

The vulnerability allows a remote user to read or modify another group's virtual registry cleanup policy settings.

The vulnerability exists due to improper access control in virtual registry cleanup policy api when handling requests for group policy settings. A remote user can send a crafted request to read or modify another group's virtual registry cleanup policy settings.

How to mitigate CVE-2026-5309

Install security update from vendor's website.

Sources

https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/

Improper access control in GitLab Enterprise Edition and Gitlab Community Edition - CVE-2026-5309

Detailed vulnerability description

How to mitigate CVE-2026-5309

Sources

Please verify you're human