CVE-2026-6515
Received
Received - Intake
Credential Validation Bypass in GitLab Virtual Registries Access
Publication date: 2026-04-22
Last updated on: 2026-04-23
Assigner: GitLab Inc.
Description
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.10.0 (inc) to 18.10.4 (exc) |
| gitlab | gitlab | From 18.10.0 (inc) to 18.10.4 (exc) |
| gitlab | gitlab | From 18.2.0 (inc) to 18.9.6 (exc) |
| gitlab | gitlab | From 18.2.0 (inc) to 18.9.6 (exc) |
| gitlab | gitlab | 18.11.0 |
| gitlab | gitlab | 18.11.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70