CVE-2026-2900: Missing Authorization in GitLab

Q: What is the severity of CVE-2026-2900?

CVE-2026-2900 is considered a critical vulnerability due to potential unauthorized actions by an authenticated user.

Q: How do I fix CVE-2026-2900?

To fix CVE-2026-2900, upgrade your GitLab EE instance to version 18.9.7, 18.10.6, or 18.11.3 or later.

Q: Which versions of GitLab are affected by CVE-2026-2900?

CVE-2026-2900 affects all GitLab EE versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3.

Q: What is the impact of CVE-2026-2900?

The impact of CVE-2026-2900 is that an authenticated Maintainer could manipulate approval rules, potentially leading to unauthorized access.

Q: Is user authentication required to exploit CVE-2026-2900?

Yes, exploiting CVE-2026-2900 requires an authenticated user to be involved in the process.

Published May 14, 2026

Updated

GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks.

Affected Software

4 affected components

GitLab GitLab EE>=16.10<18.9.7, >=18.10<18.10.6, >=18.11<18.11.3

GitLab GitLab>=16.10.0<18.9.7

GitLab GitLab>=18.10.0<18.10.6

GitLab GitLab>=18.11.0<18.11.3

Remediation

Information

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

Event History

May 14, 2026

CVE Published

via MITRE·05:36 AM

Data Sourced

via MITRE·05:36 AM

RemedyDescriptionSeverityWeakness

Data Sourced

via NVD·06:16 AM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-2900?

CVE-2026-2900 is considered a critical vulnerability due to potential unauthorized actions by an authenticated user.

How do I fix CVE-2026-2900?

To fix CVE-2026-2900, upgrade your GitLab EE instance to version 18.9.7, 18.10.6, or 18.11.3 or later.

Which versions of GitLab are affected by CVE-2026-2900?

CVE-2026-2900 affects all GitLab EE versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3.

What is the impact of CVE-2026-2900?

The impact of CVE-2026-2900 is that an authenticated Maintainer could manipulate approval rules, potentially leading to unauthorized access.

Is user authentication required to exploit CVE-2026-2900?

Yes, exploiting CVE-2026-2900 requires an authenticated user to be involved in the process.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.

CVE-2026-2900: Missing Authorization in GitLab

Affected Software

Remediation

Information

Event History

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2026-2900?

How do I fix CVE-2026-2900?

Which versions of GitLab are affected by CVE-2026-2900?

What is the impact of CVE-2026-2900?

Is user authentication required to exploit CVE-2026-2900?

Company

Resources

Contact