Medium severity4.3NVD Advisory· Published May 28, 2026· Updated May 29, 2026
CVE-2026-9807
CVE-2026-9807
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7(expand)+ 4 more
- (no CPE)
- cpe:2.3:a:gitlab:gitlab:19.0.0:*:*:*:community:*:*:*
- cpe:2.3:a:gitlab:gitlab:19.0.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*range: >=18.9.0,<18.10.7
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*range: >=18.9.0,<18.10.7
- Range: >=18.9 <18.10.7, >=18.11 <18.11.4, >=19.0 <19.0.1
Patches
Vulnerability mechanics
References
2- about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/nvdRelease Notes
- hackerone.com/reports/3554993nvdPermissions Required
News mentions
1- GitLab Patches 7 CVEs: Duo AI Identity Flaw, Auth Bypass, and Project EnumerationVypr Intelligence · May 28, 2026