CVE-2026-6269
Analyzed
Analyzed - Analysis Complete
Authenticated Developer Access Bypass in GitLab CE/EE
Vulnerability report for CVE-2026-6269, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-11
Last updated on: 2026-06-15
Assigner: GitLab Inc.
Description
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.11.0 (inc) to 18.11.5 (exc) |
| gitlab | gitlab | From 19.0.0 (inc) to 19.0.2 (exc) |
| gitlab | gitlab | From 18.11.0 (inc) to 18.11.5 (exc) |
| gitlab | gitlab | From 19.0.0 (inc) to 19.0.2 (exc) |
| gitlab | gitlab | From 15.10.0 (inc) to 18.10.8 (exc) |
| gitlab | gitlab | From 15.10.0 (inc) to 18.10.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |