CVE-2019-5474
Description
An authorization issue was discovered in GitLab EE < 12.1.2, < 12.0.4, and < 11.11.6 allowing the merge request approval rules to be overridden without appropriate permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE allowed developers to override merge request approval rules despite project settings preventing it, bypassing authorization.
Vulnerability
An authorization bypass exists in GitLab EE versions prior to 12.1.2, 12.0.4, and 11.11.6. Project owners can configure settings to prevent overriding of approvers and approval requirements per merge request. However, a Developer user can still create new approval rules by sending a crafted POST request to the merge request edit endpoint, bypassing the intended restriction [1].
Exploitation
An attacker must be a Developer user in the target project. The UI does not expose the option to edit or create approval rules when the project owner has disabled overriding, but the server-side authorization check is insufficient. The attacker can capture the merge request edit form submission, modify the request to include approval rule parameters, and submit it. The server accepts the request and creates new approval rules without proper permission validation [1].
Impact
A Developer can override the project’s approval settings, potentially reducing the number of required approvers or adding themselves as an approver. This could allow unauthorized merges or bypass security policies, compromising the integrity and confidentiality of the codebase.
Mitigation
GitLab released fixed versions 12.1.2, 12.0.4, and 11.11.6 on 2019-07-29 [2]. Users should upgrade to these or later versions. No workaround is documented; the fix enforces proper authorization checks for approval rule modifications.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: < 11.11.6, < 12.0.4, < 12.1.2
- Range: before 12.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side authorization check allows Developer users to override merge request approval rules despite the project owner's "prevent overriding approvers" setting."
Attack vector
An attacker who is a Developer-level user on a project can bypass the owner's "prevent overriding approvers" setting by crafting a direct HTTP POST request to the merge request edit endpoint. The UI hides the approval rules fields for unauthorized users, but the server does not validate that the user has permission to create approval rules when processing the submitted parameters. The attacker appends `merge_request[approval_rules_attributes]` parameters to a legitimate merge request update request, including a rule name, user IDs, and the number of required approvals [ref_id=1].
Affected code
The vulnerability is in the merge request approval rules controller. The advisory does not specify exact file paths, but the issue is that the server-side authorization check for creating approval rules is missing when processing `merge_request[approval_rules_attributes]` parameters during a merge request update [ref_id=1].
What the fix does
The advisory does not include a patch diff. The fix would require adding server-side authorization checks in the merge request update controller to verify that the current user has permission to create or modify approval rules when `approval_rules_attributes` are present in the request parameters. The check should enforce the project owner's "prevent overriding approvers" setting before allowing any changes to approval rules [ref_id=1].
Preconditions
- authAttacker must be a Developer-level user on the target project
- configProject owner must have enabled the 'prevent overriding approvers' setting
- networkAttacker must have network access to the GitLab instance
- inputAttacker must craft a POST request with approval_rules_attributes parameters
Reproduction
1. As a project owner, enable the "prevent overriding approvers" setting in the project's merge request approval settings. 2. As a Developer user, navigate to any merge request and click "Edit". 3. Capture the POST request sent when saving the merge request. 4. Append the following parameters to the request body: `&merge_request[approval_rules_attributes][][name]=RuleName&merge_request[approval_rules_attributes][][user_ids][]=<USER_ID>&merge_request[approval_rules_attributes][][approvals_required]=1`. 5. Send the modified request. 6. Re-open the merge request edit page and observe the new approval rule is present despite the owner's setting [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/mitrex_refsource_MISC
- gitlab.com/gitlab-org/gitlab-ee/issues/11423mitrex_refsource_MISC
- hackerone.com/reports/544756mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.