Unrated severityNVD Advisory· Published Jan 26, 2024· Updated May 1, 2026
Direct Request ('Forced Browsing') in GitLab
CVE-2024-0456
Description
An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 14.0
- (no CPE)range: >=14.0 <16.6.6, >=16.7 <16.7.4, >=16.8 <16.8.1
Patches
Vulnerability mechanics
References
2- gitlab.com/gitlab-org/gitlab/-/issues/430726mitreissue-trackingpermissions-required
- about.gitlab.com/releases/2024/01/25/critical-security-release-gitlab-16-8-1-released/mitre
News mentions
1- GitLab Critical Security Release: 16.8.1, 16.7.4, 16.6.6, 16.5.8GitLab Security Releases · Jan 25, 2024