Authentication Bypass in GitLab EE Affecting Multiple Versions
CVE-2026-5296

4.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-5296?

GitLab has addressed a vulnerability within GitLab EE that allows authenticated users with developer-role permissions to bypass restrictions involving foundational flows under specific conditions. This issue impacts all versions prior to GitLab EE 18.10.7, 18.11.4, and 19.0.1 when foundational flows are enabled at the group level. The vulnerability underscores the necessity for users to update their systems to maintain security integrity and avoid potential exploitation.

Affected Version(s)

GitLab 18.7 < 18.10.7

GitLab 18.11 < 18.11.4

GitLab 19.0 < 19.0.1

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/595423

https://hackerone.com/reports/3626303

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/05/27/patch-releas...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-5296 Data

JSON

Gitlab

What is CVE-2026-5296?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit