CVE-2026-5796
Analyzed Analyzed - Analysis Complete

Authenticated Package Metadata Exposure in GitLab CE/EE

Vulnerability report for CVE-2026-5796, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: GitLab Inc.

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
gitlab gitlab From 19.0.0 (inc) to 19.0.3 (exc)
gitlab gitlab From 13.6.0 (inc) to 18.11.6 (exc)
gitlab gitlab 19.1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in GitLab CE/EE affects versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. Under certain conditions, an authenticated user with Reporter-level group permissions could view package metadata from projects even when the Package Registry was disabled. This was due to incorrect authorization checks in the group packages feature.

Impact Analysis

The impact of this vulnerability is that a user with Reporter-level permissions could access package metadata that should have been restricted, potentially exposing sensitive information about project packages. However, the vulnerability does not allow modification or deletion of data, only limited information disclosure.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade GitLab CE/EE to a fixed version. Specifically, update to version 18.11.6 or later if you are using the 18.11 series, 19.0.3 or later if using the 19.0 series, or 19.1.1 or later if using the 19.1 series.

This will ensure that the incorrect authorization checks in the group packages feature are corrected, preventing authenticated users with Reporter-level group permissions from viewing package metadata from projects with the Package Registry disabled.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5796. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart