CVE-2026-9807
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A blocked Project Access Token in GitLab CE/EE could still access private resources due to incorrect authorization enforcement, affecting versions before 18.10.7, 18.11.4, and 19.0.1.
Vulnerability
GitLab CE/EE versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 contain an incorrect authorization enforcement flaw. Under certain conditions, a blocked Project Access Token could continue to access private resources because the authorization check did not properly revoke the token's permissions.
Exploitation
An attacker who possesses a Project Access Token that has been blocked by an administrator can use that token to access private resources that the token originally had access to. No additional privileges or user interaction is required beyond having the blocked token.
Impact
Successful exploitation allows an attacker with a blocked token to continue accessing private resources, leading to unauthorized information disclosure. The attacker gains read access to resources that should have been revoked, limited to the permissions the token had before being blocked.
Mitigation
GitHub has released fixed versions 18.10.7, 18.11.4, and 19.0.1 on 2026-05-27 [1]. Users should upgrade to these versions or later. No workarounds are mentioned. The issue is not listed in CISA KEV as of publication.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=18.9 <18.10.7, >=18.11 <18.11.4, >=19.0 <19.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.