VYPR
Unrated severityNVD Advisory· Published Sep 26, 2025· Updated Feb 26, 2026

Missing Authorization in GitLab

CVE-2025-10871

Description

An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively granting themselves elevated privileges.

Affected products

11

Patches

Vulnerability mechanics

References

1

News mentions

1