CVE-2026-2601

Vulnerability

An improper authorization check exists in the deployments feature of GitLab EE in all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 [1]. This vulnerability allows an authenticated user with developer-role permissions to access sensitive deployment data on a project where they should not have such access [1]. The issue stems from insufficient permission validation when retrieving deployment records.

Exploitation

To exploit this flaw, an attacker must be an authenticated user with at least developer-level access to a GitLab project [1]. The attacker can then make API or UI requests to retrieve deployment data that is normally restricted to higher-privileged roles. No additional user interaction is required beyond normal usage of the GitLab interface or API. The exact sequence of steps is not detailed in the available references but involves crafting requests that bypass the intended authorization checks.

Impact

Successful exploitation results in unauthorized access to sensitive deployment data [1]. This information disclosure could expose details such as deployment environments, variables, or other configuration metadata that could aid further attacks. The impact is limited to information disclosure (confidentiality breach) and does not allow modification or deletion of data. The privilege escalation is within the scope of the project, as a developer may see data intended for maintainers or owners.

Mitigation

GitLab has fixed the issue in versions 18.10.7, 18.11.4, and 19.0.1, released on 2026-05-27 [1]. Users running GitLab EE on versions 11.5 through 18.10.6, 18.11 through 18.11.3, or 19.0.0 should upgrade immediately to the corresponding patched version [1]. No workarounds are documented by the vendor; upgrading is the only mitigations available.