CVE-2026-5296
Authentication Bypass in GitLab EE via Flow Restrictions
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.11.0 (inc) to 18.11.4 (exc) |
| gitlab | gitlab | 19.0.0 |
| gitlab | gitlab | From 18.7.0 (inc) to 18.10.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab Enterprise Edition (EE) affected versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1. It occurred when foundational flows were enabled at the group level, allowing an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.
How can this vulnerability impact me? :
An authenticated user with developer-role permissions could bypass flow restrictions, potentially allowing them to perform actions or access resources that should have been restricted by the foundational flows configured at the group level.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade GitLab EE to a fixed version. Specifically, update to version 18.10.7 or later if you are using the 18.7 to 18.10 series, 18.11.4 or later if you are using the 18.11 series, or 19.0.1 or later if you are using the 19.0 series.
Additionally, review and consider disabling foundational flows at the group level if they are enabled, as the vulnerability involves bypassing flow restrictions when these flows are enabled.