GitLab CE/EE GraphQL Insufficient Access Control Vulnerability Allowing Removal of Project Runners

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 15.4 prior to 18.5.5, 18.6 prior to 18.6.3, and 18.7 prior to 18.7.1. This vulnerability allows authenticated users with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. The issue stems from insufficient access control granularity in the GraphQL runnerUpdate mutation, which could be exploited by users with the right permissions to disrupt runner assignments across projects.

Impact

Exploitation of this vulnerability could lead to unauthorized removal of project runners, disrupting CI/CD pipelines and potentially causing delays in development processes.

Remediation

Users are advised to upgrade to GitLab versions 18.7.1, 18.6.3, or 18.5.5. Instructions for updating GitLab can be found on the GitLab Update page. For GitLab Runner, refer to the Updating the Runner page.