CVE-2026-11379
Received Received - Intake
Incorrect Authorization in GitLab EE DAST Site Profile Secrets Exfiltration

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitLab Inc.

Description
GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1 in which incorrect authorization in DAST site profile management could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-11379
EUVD
EUVD-2026-39170
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gitlab gitlab_ee From 13.11 (inc) to 18.11.6 (exc)
gitlab gitlab_ee From 19.0 (inc) to 19.0.3 (exc)
gitlab gitlab_ee From 19.1 (inc) to 19.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in GitLab EE versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1. It involves incorrect authorization in the management of DAST (Dynamic Application Security Testing) site profiles. Specifically, a user with a Developer role could exploit this flaw under certain conditions to exfiltrate secrets stored in DAST site profiles.

Compliance Impact

This vulnerability in GitLab EE allows a user with Developer role to exfiltrate DAST site profile secrets due to incorrect authorization in DAST site profile management.

Exfiltration of secrets could potentially lead to unauthorized access to sensitive data, which may impact compliance with data protection regulations such as GDPR and HIPAA that require strict controls over access to sensitive information.

However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with specific standards or regulations.

Impact Analysis

The impact of this vulnerability is that a user with Developer-level access could gain unauthorized access to sensitive secrets contained within DAST site profiles. This could lead to the exposure of confidential information, potentially compromising the security of applications and systems that rely on these secrets.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade GitLab EE to a fixed version. The affected versions are all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1. Upgrading to 18.11.6 or later, 19.0.3 or later, or 19.1.1 or later will remediate the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart