CVE-2026-5296
Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE fails to enforce flow restrictions for authenticated developer users when foundational flows are enabled at the group level.
Vulnerability
The issue resides in GitLab EE where foundational flows enabled at the group level are not properly enforced. Affected versions: 18.7 through 18.10.7, 18.11 through 18.11.4, and 19.0 before 19.0.1. An authenticated user with developer-role permissions can bypass the intended restrictions of foundational flows under certain conditions [1].
Exploitation
An attacker must have an authenticated account with developer permissions in a group where foundational flows are enabled. By leveraging the vulnerable code path, the attacker can circumvent the restrictions that foundational flows impose, likely by crafting requests that are not correctly validated against the flow configuration [1].
Impact
Successful exploitation allows the attacker to perform actions that should be blocked by the foundational flows, potentially leading to unauthorized data access or privilege escalation within the group context. The CVSS score of 4.3 (Medium) indicates a moderate confidentiality impact [1].
Mitigation
GitLab has fixed this issue in versions 18.10.7, 18.11.4, and 19.0.1, released on 2026-05-27. Users should upgrade to one of these patched versions. No workaround is mentioned in the available references [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=18.7, <18.10.7 || >=18.11, <18.11.4 || >=19.0, <19.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/nvdRelease NotesVendor Advisory
- hackerone.com/reports/3626303nvdPermissions Required
News mentions
1- GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7GitLab Security Releases · May 27, 2026