CVE-2022-3325
Description
Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. Allowed for editing the approval rules via the API by an unauthorised user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An improper access control vulnerability in GitLab CE/EE API lets unauthorized users edit approval rules, bypassing instance-level restrictions.
Vulnerability
An improper access control vulnerability exists in the GitLab CE/EE API, affecting all versions from 12.8 before 15.2.5, all versions from 15.3 before 15.3.4, and all versions from 15.4 before 15.4.1 [1]. The instance-level setting "Prevent editing approval rules in projects and merge requests" disables the approval rules UI field via CSS but does not enforce this restriction on the API side. This allows a user with at least Maintainer role to modify approval rules via direct API calls.
Exploitation
An attacker with a valid GitLab account having the Maintainer role (or higher) on a target project can exploit the vulnerability. The attacker can either directly call the API endpoint for approval rules without UI manipulation or simply enable the UI field via CSS after the setting is applied, then submit the change, which is processed by the API without proper authorization checks [1]. No additional authentication bypass is needed beyond the normal project access.
Impact
Successful exploitation allows an unauthorised user to modify the required number of approvers for merge requests, potentially bypassing code review policies. This can lead to merging of code without proper security review, weakening the integrity and confidentiality of the development pipeline. The attacker gains the ability to alter approval rules beyond what the instance administrator intended.
Mitigation
GitLab has fixed this issue in versions 15.2.5, 15.3.4, and 15.4.1 [1]. Users should upgrade to these or later patched versions. No documented workaround exists, as the API access control must be enforced server-side. Affected instances not yet patched remain vulnerable to the bypass.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.8, <15.2.5 || >=15.3, <15.3.4 || >=15.4, <15.4.1
- Range: >=15.4, <15.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Server-side API endpoint for editing approval rules does not enforce the instance-level or group-level "Prevent editing approval rules" setting, relying only on a client-side CSS disable that can be trivially bypassed."
Attack vector
A user with the Maintainer role on a project can bypass the "Prevent editing approval rules in projects and merge requests" setting by directly sending API requests to edit approval rules, or by re-enabling the disabled form field via CSS in the browser [ref_id=1]. The instance-level setting only greys out the UI field but does not enforce the restriction server-side, and the group-level setting has no effect at all [ref_id=1]. The attacker does not need any special network position beyond normal authenticated access to the GitLab web UI or API.
Affected code
The bundle does not specify exact file paths or function names. The vulnerability exists in the project-level API endpoint that handles editing merge request approval rules, where the server-side authorization check for the "Prevent editing approval rules" setting is missing [ref_id=1].
What the fix does
No patch diff is included in the bundle. The advisory (GitLab issue #360819) identifies that the server-side API must enforce the "Prevent editing approval rules" setting rather than relying on a client-side CSS disable [ref_id=1]. The expected fix would add authorization checks in the API controller for approval rules, verifying that the instance-level or group-level setting is not active before allowing edits. The issue was addressed in GitLab versions 15.2.5, 15.3.4, and 15.4.1.
Preconditions
- authAttacker must have at least the Maintainer role on the target project
- configInstance-level or group-level 'Prevent editing approval rules' setting must be enabled (the setting the bug bypasses)
- networkAttacker must have authenticated access to the GitLab API or web UI
Reproduction
1. As an administrator, enable "Prevent editing approval rules in projects and merge requests" at the instance level. 2. As a Maintainer, open a project's Merge Request approval rule settings. 3. Right-click the "Approvals required" field and re-enable it via CSS, then change the value. The change is accepted by the API [ref_id=1]. Alternatively, send a direct API PUT/PATCH request to the approval rules endpoint with modified values.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.