Improper Authorization in GitLab EE Allows Account Takeover for Group Owners
CVE-2026-6552

8.7HIGH

Key Information:

Vendor

Gitlab

Status
Vendor
CVE Published:
11 June 2026

What is CVE-2026-6552?

A security flaw exists in GitLab EE that could potentially allow an authenticated user with the role of group Owner to gain unauthorized access to another member's account. This issue stems from improper authorization within the Group SAML identity management process. The vulnerability affects numerous versions, making it crucial for GitLab administrators to apply the latest updates to safeguard against potential account takeovers that could lead to unauthorized activities within user groups.

Affected Version(s)

GitLab 15.5 < 18.10.8

GitLab 18.11 < 18.11.5

GitLab 19.0 < 19.0.2

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [cyberjoker](https://hackerone.com/cyberjoker) for reporting this vulnerability through our HackerOne bug bounty program
.