Primary

Context

GitLab EE Improper Access Control Vulnerability Allowing Removal of Code Owner Approval Rules

Vulnerability

Patched

A vulnerability exists in GitLab EE versions 11.10 prior to 18.9.7, 18.10 prior to 18.10.6, and 18.11 prior to 18.11.3. Under certain conditions, this vulnerability could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests, due to improper access control.

Impact

Exploitation of this vulnerability could lead to unauthorized removal of code owner approval rules from merge requests, potentially allowing for changes to be merged without proper review.

Remediation

Users can upgrade to GitLab EE versions 18.9.7, 18.10.6, or 18.11.3 to address this vulnerability.

Added: May 14, 2026, 6:47 AM

Updated: May 14, 2026, 6:47 AM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

0.6

exploitability

5.2

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

0.6

exploitability

5.2

remediation

7.7

relevance

8.3

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitLab EE Improper Access Control Vulnerability Allowing Removal of Code Owner Approval Rules

Vulnerability

Impact

Remediation

Affected Products

GitLab

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating