CVE-2026-1751
BaseFortify
Publication date: 2026-02-02
Last updated on: 2026-02-04
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 16.8.0 (inc) to 18.5.0 (exc) |
| gitlab | gitlab | From 16.8.0 (inc) to 18.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab allows a user who was removed from a project (specifically a removed author of a merge request) to still edit the merge request's approval rules via the API, even though the UI correctly prevents this. Normally, only users with at least the Developer role can override approval rules, and once removed, the UI disallows editing. However, the API does not enforce this role check, enabling the removed user to set approval requirements to zero and bypass the approval process, potentially merging malicious changes into protected branches. [1]
How can this vulnerability impact me? :
This vulnerability can allow an unauthorized user, who has been removed from a project, to bypass merge request approval workflows by modifying approval rules through the API. This can lead to malicious code being merged into protected branches without proper review, compromising the integrity and security of the codebase. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring API requests to GitLab's merge request approval rules, specifically looking for unauthorized edits to approval rules by users who have been removed from the project. Detection involves inspecting API logs for requests that modify approval rules from users without current project membership or appropriate roles. Since the vulnerability involves API calls that bypass UI restrictions, commands to query GitLab API audit logs or network traffic capturing API requests modifying approval rules could help detect exploitation attempts. However, specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading GitLab CE/EE to version 18.5.0 or later, where the vulnerability is fixed. Until the upgrade, restrict API access to trusted users only, especially limiting permissions for users who have been removed from projects. Additionally, monitor API usage for suspicious approval rule modifications and consider disabling API access temporarily if possible. Applying strict access controls and reviewing merge request approval rules can help reduce risk. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users who have been removed from a project to bypass merge request approval rules and merge potentially malicious code into protected branches. This undermines the integrity and security of the software development lifecycle.
Such unauthorized code changes could lead to the introduction of vulnerabilities or data breaches, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and auditability of changes.
However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.