Improper Authorization in GitLab EE Allows Account Takeover for Group Owners
CVE-2026-6552
8.7HIGH
What is CVE-2026-6552?
A security flaw exists in GitLab EE that could potentially allow an authenticated user with the role of group Owner to gain unauthorized access to another member's account. This issue stems from improper authorization within the Group SAML identity management process. The vulnerability affects numerous versions, making it crucial for GitLab administrators to apply the latest updates to safeguard against potential account takeovers that could lead to unauthorized activities within user groups.
Affected Version(s)
GitLab 15.5 < 18.10.8
GitLab 18.11 < 18.11.5
GitLab 19.0 < 19.0.2
References
CVSS V3.1
Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Thanks [cyberjoker](https://hackerone.com/cyberjoker) for reporting this vulnerability through our HackerOne bug bounty program