CVE-2026-6277

Vulnerability

An authorization bypass vulnerability exists in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 [1]. The issue arises from incorrect authorization enforcement, allowing an authenticated user with the Security Manager role to manage project security configuration even when the relevant feature is in a disabled state.

Exploitation

An attacker must be an authenticated user with the Security Manager role in a GitLab EE instance. No additional privileges or user interaction beyond authentication are required. The attacker can then access and modify project security settings that should be unavailable due to the feature being disabled, likely through the GitLab UI or API.

Impact

Successful exploitation enables the attacker to manage security configuration (e.g., enable, disable, or alter security features) despite the feature being administratively disabled. This compromises the integrity of the security posture and could lead to unauthorized changes that weaken protections, potentially affecting confidentiality and availability of project resources.

Mitigation

GitLab has released fixed versions 18.10.8, 18.11.5, and 19.0.2 on 2026-06-10 [1]. Users should upgrade to these versions immediately. No workarounds have been published, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.