CVE-2026-5796
Received Received - Intake
Authenticated Package Metadata Exposure in GitLab CE/EE

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitLab Inc.

Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-5796
EUVD
EUVD-2026-39174
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
gitlab gitlab_ce From 13.6 (inc) to 18.11.6 (exc)
gitlab gitlab_ee From 13.6 (inc) to 18.11.6 (exc)
gitlab gitlab_ce From 19.0 (inc) to 19.0.3 (exc)
gitlab gitlab_ee From 19.0 (inc) to 19.0.3 (exc)
gitlab gitlab_ce From 19.1 (inc) to 19.1.1 (exc)
gitlab gitlab_ee From 19.1 (inc) to 19.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in GitLab CE/EE affects versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. Under certain conditions, an authenticated user with Reporter-level group permissions could view package metadata from projects even when the Package Registry was disabled. This was due to incorrect authorization checks in the group packages feature.

Impact Analysis

The impact of this vulnerability is that a user with Reporter-level permissions could access package metadata that should have been restricted, potentially exposing sensitive information about project packages. However, the vulnerability does not allow modification or deletion of data, only limited information disclosure.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade GitLab CE/EE to a fixed version. Specifically, update to version 18.11.6 or later if you are using the 18.11 series, 19.0.3 or later if using the 19.0 series, or 19.1.1 or later if using the 19.1 series.

This will ensure that the incorrect authorization checks in the group packages feature are corrected, preventing authenticated users with Reporter-level group permissions from viewing package metadata from projects with the Package Registry disabled.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5796. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart