Permission Bypass in GitLab EE Affecting Multiple Versions
CVE-2026-0934

3.8LOW

Key Information:

Vendor

Gitlab

Status
Vendor
CVE Published:
25 June 2026

What is CVE-2026-0934?

A vulnerability in GitLab EE affects multiple versions where an authenticated user, granted custom role permissions, may gain unauthorized access to view, create, or delete protected environment configurations. This behavior occurs even when CI/CD visibility settings are disabled for the specific project, indicating a serious oversight in access control management. Corrective measures have been applied in the recent patches to ensure that permissions are enforced properly.

Affected Version(s)

GitLab 17.9 < 18.11.6

GitLab 19.0 < 19.0.3

GitLab 19.1 < 19.1.1

References

CVSS V3.1

Score:
3.8
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [vulnable](https://hackerone.com/vulnable) for reporting this vulnerability through our HackerOne bug bounty program
.