Authorization Flaw in GitLab CE/EE Impacts User Privilege Management
CVE-2026-4916

2.7LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-4916?

An improper authorization vulnerability in GitLab CE/EE could enable an authenticated user with custom role permissions to adversely impact user privilege levels. Specifically, this flaw allows such users to demote or completely remove members with higher privileges from groups, leading to potential misuse of administrative powers and compromising group security. Mitigation has been applied in versions following the identified releases.

Affected Version(s)

GitLab 18.2 < 18.8.9

GitLab 18.9 < 18.9.5

GitLab 18.10 < 18.10.3

References

https://hackerone.com/reports/3301240

technical-descriptionexploitpermissions-required

https://gitlab.com/gitlab-org/gitlab/-/work_items/565414

https://about.gitlab.com/releases/2026/04/08/patch-releas...

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 26, 2026

Credit

Thanks [theluci](https://hackerone.com/theluci) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-4916 Data

JSON

Gitlab

What is CVE-2026-4916?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit