Authorization Flaw in GitLab EE Allows Modification of Compliance Records by Auditors
CVE-2026-6352

2.7LOW

Key Information:

Vendor

Gitlab

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-6352?

GitLab has addressed a vulnerability affecting GitLab EE in versions prior to 18.11.7, 19.0.4, and 19.1.2. This issue allows an authenticated user with auditor-level access to improperly modify compliance violation records due to insufficient authorization checks on certain GraphQL operations. The flaw could lead to unauthorized changes in critical compliance documentation, emphasizing the need for adequate access control measures.

Affected Version(s)

GitLab 18.2 < 18.11.7

GitLab 19.0 < 19.0.4

GitLab 19.1 < 19.1.2

References

CVSS V3.1

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [amanverasia](https://hackerone.com/amanverasia) for reporting this vulnerability through our HackerOne bug bounty program
.