Incorrect Authorization in GitLab
Description
An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted the permission through a group.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE allowed guest users with group-level 'Allowed to merge' permission to push and merge to protected branches, bypassing role checks.
Vulnerability
An issue in GitLab EE allows a guest user who is a member of a group granted the "Allowed to push and merge" permission on a protected branch to gain unauthorized push and merge access. The permission check only verifies the user's project role (Developer minimum) but fails to validate the user's role within the granted group. Affected versions: GitLab EE from 8.13 before 16.4.3, 16.5 before 16.5.3, and 16.6 before 16.6.1 [1].
Exploitation
An attacker must be a guest user in the target project and also a member of a group that has been granted "Allowed to push and merge" access to a protected branch. No additional privileges are required beyond guest membership. The attacker can then push commits and merge merge requests to the protected branch, bypassing the intended role restriction [1].
Impact
Successful exploitation allows an attacker to push and merge changes to protected branches, compromising the integrity of the branch and potentially introducing malicious code. The attacker gains unauthorized write access typically reserved for Developers or higher roles [1].
Mitigation
Upgrade GitLab EE to version 16.4.3, 16.5.3, 16.6.1, or later. No workaround is available. The issue was fixed in the security releases following the disclosure [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=8.13, <16.4.3 || >=16.5, <16.5.3 || >=16.6, <16.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing role-level check: when a group is granted "Allowed to push and merge" access, the system does not verify that the user holds at least a Developer role within that group, only that they are a member of the group and have a max Developer role in the project."
Attack vector
An attacker who is already a Developer on the victim project can be added as a Guest to a group that has been granted "Allowed to push and merge" access to a protected branch. Because the access control only checks membership in the granted group and the user's max role in the project (Developer), the Guest-level membership in the group is sufficient to inherit push-and-merge permissions on the protected branch [ref_id=1]. The attacker can then push directly to the protected branch, modify files, or upload a malicious .gitlab-ci.yml to exfiltrate CI/CD variables [ref_id=1].
Affected code
The vulnerability lies in the access control logic for protected branches. When a group is granted "Allowed to push and merge" access, the code checks whether the user is a member of the granted group and whether the user has a maximum role of Developer in the project, but it does not verify that the user holds at least a Developer role within the granted group itself [ref_id=1].
What the fix does
No patch diff is included in the bundle. The advisory [ref_id=1] describes the root cause: when a group is granted "Allowed to push and merge" access, the system checks only that the user is a member of the granted group and has a max role of Developer in the project, but fails to verify the user's role within the granted group itself. The fix should add a check ensuring that only members with at least a Developer role in the granted group inherit the protected branch permissions [ref_id=1].
Preconditions
- configThe victim project must have protected branches configured with 'Allowed to push and merge' access granted to a specific group.
- authThe attacker must already be a Developer member of the victim project.
- authThe attacker must be able to join the granted group as a Guest member.
- configThe victim must have added the granted group as a member of the project with at least Developer role.
Reproduction
1. Victim creates a group `victim-group`, activates Ultimate trial, and creates `victim-project` inside it. 2. Victim adds attacker as a Developer to `victim-project`. 3. Victim creates `granted-group`, adds a `victim-member` as Developer. 4. Victim invites `granted-group` as a Developer to `victim-project`. 5. Victim goes to Protected branches settings and grants "Allowed to push and merge" access to `granted-group`. 6. Victim adds attacker as a Guest to `granted-group`. 7. Attacker now automatically has "Allowed to push and merge" access on the protected branch and can push changes, modify files, or upload a malicious `.gitlab-ci.yml` to leak CI/CD variables [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- hackerone.com/reports/2104540mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/423835mitreissue-trackingpermissions-required
News mentions
2- GitLab Security Release: 16.6.1, 16.5.3, 16.4.3GitLab Security Releases · Nov 30, 2023
- GitLab Security Release: 16.4.1, 16.3.5, and 16.2.8GitLab Security Releases · Sep 28, 2023