Authorization Bypass in GitLab CE/EE Affects Multiple Versions
CVE-2025-12653

6.5MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 26 November 2025

What is CVE-2025-12653?

An authorization bypass vulnerability exists in GitLab CE/EE that permits unauthenticated users to join arbitrary organizations. This issue arises from improper header handling under specific conditions. The flaw affects multiple versions of GitLab CE/EE and could be exploited by attackers, thereby compromising the integrity of user management within the application. Prompt updates are recommended to mitigate potential exploitation.

Affected Version(s)

GitLab 18.3 < 18.4.5

GitLab 18.5 < 18.5.3

GitLab 18.6 < 18.6.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/579372

issue-trackingpermissions-required

https://hackerone.com/reports/3370245

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 26, 2025
Vulnerability Reserved
Nov 3, 2025

Credit

Thanks [pwnie](https://hackerone.com/pwnie) for reporting this vulnerability through our HackerOne bug bounty program

JSON