Zero Day MonitorZDM

← Back to list

4.3

CVE-2026-2619PATCHED

gitlab · gitlab

Incorrect Authorization in GitLab

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user with auditor privileges to modify vulnerability flag data in private projects due to incorrect authorization.

Affected Products

Vendor	Product	Versions
gitlab	gitlab	18.6, 18.9, 18.10, 18.8.8, 18.9.4, 18.10.2

References

https://hackerone.com/reports/3554982(technical-description, exploit, permissions-required)
https://gitlab.com/gitlab-org/gitlab/-/work_items/590430
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/

Related News (1 articles)

Tier C

VulDB52m ago

CVE-2026-2619 | GitLab Enterprise Edition up to 18.8.8/18.9.4/18.10.2 Private Project authorization

→ No new info (linked only)

CVSS 3.14.3 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

18.8.918.9.518.10.3

CWECWE-863

PublishedApr 8, 2026

Last enriched37m agov2

Trending Score29

Source articles2

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-5173EXP

Exposed Dangerous Method or Function in GitLab

CRITICALCVE-2026-1516EXP

Improper Control of Generation of Code ('Code Injection') in GitLab

CRITICALCVE-2025-12664EXP

Improper Validation of Specified Quantity in Input in GitLab

HIGHCVE-2026-2104EXP

Authorization Bypass Through User-Controlled Key in GitLab

HIGHCVE-2026-1752

Incorrect Authorization in GitLab

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Patch Available

Apr 8, 2026

Updated: affectedVersions, severity

Apr 9, 2026

Version History

v2

Last enriched 37m ago

v2Tier C37m ago

Updated affected versions to include 18.8.8, 18.9.4, and 18.10.2, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseverity

via VulDB

v12h ago

Initial creation