Authorization Bypass Through User-Controlled Key in GitLab
CVE-2026-6976

3.7LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-6976?

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.

Affected Version(s)

GitLab 15.9 < 18.10.8

GitLab 18.11 < 18.11.5

GitLab 19.0 < 19.0.2

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/598165

https://hackerone.com/reports/3638136

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/06/10/patch-releas...

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
Apr 24, 2026

Credit

Thanks [xorz](https://hackerone.com/xorz) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-6976 Data

JSON