{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1751", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-02-02T09:04:33.310Z", "datePublished": "2026-02-02T09:04:38.090Z", "dateUpdated": "2026-02-02T13:24:44.683Z"}, "containers": {"cna": {"title": "Missing Authorization in GitLab", "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "16.8", "status": "affected", "lessThan": "18.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862: Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/519340", "name": "GitLab Issue #519340", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/2980839", "name": "HackerOne Bug Bounty Report #2980839", "tags": ["technical-description", "exploit", "permissions-required"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 18.5.0 or above"}], "credits": [{"lang": "en", "value": "Thanks [theluci](https://hackerone.com/theluci) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-02-02T09:04:38.090Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T13:24:03.135088Z", "id": "CVE-2026-1751", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T13:24:44.683Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1751", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T13:24:03.135088Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T13:24:30.874Z"}}], "cna": {"title": "Missing Authorization in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [theluci](https://hackerone.com/theluci) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "16.8", "lessThan": "18.5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 18.5.0 or above"}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/519340", "name": "GitLab Issue #519340", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/2980839", "name": "HackerOne Bug Bounty Report #2980839", "tags": ["technical-description", "exploit", "permissions-required"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-02-02T09:04:38.090Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1751", "state": "PUBLISHED", "dateUpdated": "2026-02-02T13:24:44.683Z", "dateReserved": "2026-02-02T09:04:33.310Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-02-02T09:04:38.090Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "B89CF163-DA6E-40E4-9D46-FE5B05B208A9", "versionEndExcluding": "18.5.0", "versionStartIncluding": "16.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "1BF55EB1-AFA1-45BD-B17B-127F49377C54", "versionEndExcluding": "18.5.0", "versionStartIncluding": "16.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad en GitLab CE/EE que afecta a todas las versiones a partir de la 16.8 y anteriores a la 18.5.0 que podr\u00eda haber permitido ediciones no autorizadas en las reglas de aprobaci\u00f3n de solicitudes de fusi\u00f3n bajo ciertas condiciones."}], "id": "CVE-2026-1751", "lastModified": "2026-02-04T14:34:06.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-02-02T10:16:06.693", "references": [{"source": "cve@gitlab.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/519340"}, {"source": "cve@gitlab.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/2980839"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:40:39.260937+00:00", "value": {"mitigation_remediation": ["Upgrade GitLab to version 18.5.0 or later, which removes the missing authorization check.", "If upgrading is delayed, restrict the 'Merge Request Approvals' scope to trusted users only by adjusting permissions or using protected branches.", "Apply audit logging to capture any changes to approval rules so discrepancies can be identified promptly."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification of merge request approval rules"}, "threat_synthesis": {"affected_systems": "The vulnerability affects GitLab Community and Enterprise editions, all versions from 16.8 up to but not including 18.5.0.", "description_and_impact": "GitLab versions 16.8 through 18.4.9 expose a missing authorization check that permits an attacker with access to the web interface or API to modify merge request approval rules. This flaw compromises the integrity of repo governance by allowing approval rules to be altered without proper permission, potentially enabling unauthorized merges or bypassing required reviews.", "risk_and_exploitability": "The flaw carries a CVSS v3.1 score of 3.1, indicating moderate impact. EPSS indicates a very low exploitation probability (<1%) and the issue is not in the CISA KEV catalog. Exploitation likely requires authenticated access via the web UI or API, but the missing authorization gate allows any user with basic access to create or edit approval rules. The risk is confined to authorization bypass rather than remote code execution."}}}}, "created": "2026-04-18T00:45:32.242885+00:00", "updated": "2026-04-18T00:45:32.242898+00:00", "vendors": []}