GitLab CE/EE Merge Request Approval Rule Editing Vulnerability

A vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 16.8 prior to 18.5.0, allowing unauthorized modifications to merge request approval rules under specific conditions. This issue arises when a merge request author, removed from the project, can still edit approval rules via the API, contrary to the user interface and documentation requirements.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in merge request approval rules, potentially allowing malicious modifications to be merged into protected branches.

Reproduction

The vulnerability can be reproduced by creating a merge request in a public project that accepts external contributions. After the merge request is created, remove the author from the project. Although the UI will not allow editing of approval rules, the API can still be used to make unauthorized changes, such as overriding approval rules using a specific API endpoint.

Remediation

Users can update their GitLab instance to version 18.5.0 or later, where this vulnerability has been fixed.