Authorization Flaw in GitLab EE from GitLab Inc.
CVE-2026-2900

2.7LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-2900?

GitLab EE has disclosed a security vulnerability that allows an authenticated user with Maintainer permissions to potentially alter or remove project approval rules. This issue arises when instance-level approval rule editing prevention is enabled but lacks proper authorization checks, permitting unauthorized modifications. The affected versions include all releases from 16.10 prior to 18.9.7, 18.10 prior to 18.10.6, and 18.11 prior to 18.11.3, necessitating prompt updates to mitigate risks associated with unauthorized access.

Affected Version(s)

GitLab 16.10 < 18.9.7

GitLab 18.10 < 18.10.6

GitLab 18.11 < 18.11.3

References

https://hackerone.com/reports/3561092

technical-descriptionexploitpermissions-required

https://gitlab.com/gitlab-org/gitlab/-/work_items/590983

https://about.gitlab.com/releases/2026/05/13/patch-releas...

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Feb 20, 2026

Credit

Thanks [modhanami](https://hackerone.com/modhanami) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-2900 Data

JSON

Gitlab

What is CVE-2026-2900?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit