Primary

Context

GitLab EE Improper Access Control Vulnerability in Runner API Allowing Project Runner Hijacking

Vulnerability

Patched

A vulnerability exists in GitLab Enterprise Edition (EE) versions 17.1 prior to 18.3.5, 18.4 prior to 18.4.3, and 18.5 prior to 18.5.1. This vulnerability could have enabled an authenticated attacker with specific permissions to hijack project runners from other projects. The issue arises from improper access control in the runner API, allowing unauthorized manipulation of project runners.

Impact

Exploitation of this vulnerability could lead to unauthorized access and control over project runners, allowing attackers to execute jobs in the context of the hijacked runners.

Remediation

Users are advised to upgrade to GitLab versions 18.5.1, 18.4.3, or 18.3.5. Instructions for updating GitLab can be found on the GitLab Update page. For GitLab Runner, refer to the Updating the Runner page.

Added: Oct 29, 2025, 7:18 AM

Updated: Oct 29, 2025, 7:18 AM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

1.3

exploitability

5.2

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

1.3

exploitability

5.2

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitLab EE Improper Access Control Vulnerability in Runner API Allowing Project Runner Hijacking

Vulnerability

Impact

Remediation

Affected Products

GitLab

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating