CVE-2026-6883

GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records.

CVSS v3 2.6 LOW

2.6^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/	Release Notes
https://gitlab.com/gitlab-org/gitlab/-/work_items/596350	Not Applicable

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

16 May 2026, 03:33

Type	Values Removed	Values Added
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
References	~~() https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/ -~~	() https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/ - Release Notes
References	~~() https://gitlab.com/gitlab-org/gitlab/-/work_items/596350 -~~	() https://gitlab.com/gitlab-org/gitlab/-/work_items/596350 - Not Applicable
First Time		Gitlab gitlab Gitlab

14 May 2026, 06:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-14 06:16

Updated : 2026-05-16 03:33

NVD link : CVE-2026-6883

Mitre link : CVE-2026-6883

CVE.ORG link : CVE-2026-6883

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-6883", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@gitlab.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.6, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-05-14T06:16:25.117", "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "tags": ["Release Notes"], "source": "cve@gitlab.com"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596350", "tags": ["Not Applicable"], "source": "cve@gitlab.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve@gitlab.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records."}], "lastModified": "2026-05-16T03:33:30.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "D86F30EE-DF79-4AA9-BE69-FCEB740BE201", "versionEndExcluding": "18.9.7", "versionStartIncluding": "15.7.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "E79D4F10-88B3-4AA7-BC5E-3FC8FA698969", "versionEndExcluding": "18.10.6", "versionStartIncluding": "18.10.0"}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "DA0D6580-3530-4D76-81CE-D852BCE0D411", "versionEndExcluding": "18.11.3", "versionStartIncluding": "18.11.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@gitlab.com"}