CVE-2026-4868
Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to improper user identity resolution when triggering Duo AI workflow runners.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An improper user identity resolution in GitLab EE Duo AI workflows could allow an authenticated user to impersonate another user in specific workflows.
Vulnerability
An improper user identity resolution vulnerability exists in GitLab EE's Duo AI workflow runners. Affected versions are all GitLab EE from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1. Under certain conditions, the identity resolution mechanism fails to correctly associate a workflow trigger with the authenticated user, allowing the workflow to execute under a different user's identity [1].
Exploitation
An attacker must be an authenticated user of the GitLab EE instance. The specific conditions required to trigger the vulnerability are not fully detailed in the advisory, but they involve initiating a Duo AI workflow that relies on user identity resolution. By crafting a request or workflow trigger, the attacker can cause the workflow runner to incorrectly resolve the identity to another user [1].
Impact
Successful exploitation allows the attacker to cause Duo AI workflows to run under another user's identity. This could lead to unauthorized actions being performed within the context of the impersonated user's permissions, potentially resulting in information disclosure, data modification, or other privilege escalation scenarios depending on the workflow's capabilities [1].
Mitigation
GitLab has released fixed versions: 18.10.7, 18.11.4, and 19.0.1, all published on 2026-05-27. Users should upgrade to one of these patched versions immediately. No workarounds are documented in the advisory [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=18.8 <18.10.7 OR >=18.11 <18.11.4 OR >=19.0 <19.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/nvdRelease NotesVendor Advisory
- hackerone.com/reports/3619872nvdPermissions Required
News mentions
1- GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7GitLab Security Releases · May 27, 2026