Authorization Flaw in GitLab CE/EE Affecting Multiple Versions
CVE-2026-9807

4.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-9807?

GitLab has addressed a vulnerability present in GitLab CE/EE which could allow a previously blocked Project Access Token to access private resources. This issue arises due to inadequate enforcement of authorization checks under specific circumstances, posing a risk to sensitive data. It is crucial for users to ensure they are using patched versions of the software to mitigate potential exploitation.

Affected Version(s)

GitLab 18.9 < 18.10.7

GitLab 18.11 < 18.11.4

GitLab 19.0 < 19.0.1

References

https://hackerone.com/reports/3554993

technical-descriptionexploitpermissions-required

https://gitlab.com/gitlab-org/gitlab/-/work_items/590694

https://about.gitlab.com/releases/2026/05/27/patch-releas...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
May 28, 2026

Credit

Thanks [s4dmach1ne](https://hackerone.com/s4dmach1ne) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-9807 Data

JSON