CVE-2026-1751
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-02-02

Last updated on: 2026-02-04

Assigner: GitLab Inc.

Description
A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-04
Generated
2026-06-16
AI Q&A
2026-02-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1751
EUVD
EUVD-2026-5136
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gitlab gitlab From 16.8.0 (inc) to 18.5.0 (exc)
gitlab gitlab From 16.8.0 (inc) to 18.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in GitLab allows a user who was removed from a project (specifically a removed author of a merge request) to still edit the merge request's approval rules via the API, even though the UI correctly prevents this. Normally, only users with at least the Developer role can override approval rules, and once removed, the UI disallows editing. However, the API does not enforce this role check, enabling the removed user to set approval requirements to zero and bypass the approval process, potentially merging malicious changes into protected branches. [1]

Impact Analysis

This vulnerability can allow an unauthorized user, who has been removed from a project, to bypass merge request approval workflows by modifying approval rules through the API. This can lead to malicious code being merged into protected branches without proper review, compromising the integrity and security of the codebase. [1]

Detection Guidance

This vulnerability can be detected by monitoring API requests to GitLab's merge request approval rules, specifically looking for unauthorized edits to approval rules by users who have been removed from the project. Detection involves inspecting API logs for requests that modify approval rules from users without current project membership or appropriate roles. Since the vulnerability involves API calls that bypass UI restrictions, commands to query GitLab API audit logs or network traffic capturing API requests modifying approval rules could help detect exploitation attempts. However, specific commands are not provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading GitLab CE/EE to version 18.5.0 or later, where the vulnerability is fixed. Until the upgrade, restrict API access to trusted users only, especially limiting permissions for users who have been removed from projects. Additionally, monitor API usage for suspicious approval rule modifications and consider disabling API access temporarily if possible. Applying strict access controls and reviewing merge request approval rules can help reduce risk. [1]

Compliance Impact

The vulnerability allows unauthorized users who have been removed from a project to bypass merge request approval rules and merge potentially malicious code into protected branches. This undermines the integrity and security of the software development lifecycle.

Such unauthorized code changes could lead to the introduction of vulnerabilities or data breaches, which may impact compliance with standards and regulations like GDPR and HIPAA that require strict access controls and auditability of changes.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1751. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart