Unrated severityNVD Advisory· Published Feb 21, 2024· Updated Nov 20, 2025
Improper Enforcement of Behavioral Workflow in GitLab
CVE-2024-0410
Description
An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 15.1
- (no CPE)range: >=15.1 <16.7.6 || >=16.8 <16.8.3 || >=16.9 <16.9.1
Patches
Vulnerability mechanics
References
2- hackerone.com/reports/2296778mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/437988mitreissue-tracking
News mentions
1- GitLab Security Release: 16.9.1, 16.8.3, 16.7.6GitLab Security Releases · Feb 21, 2024