Zero Day MonitorZDM

← Back to list

2.7

CVE-2026-4916PATCHED

gitlab · gitlab

Missing Authorization in GitLab

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization checks on member management operations.

Affected Products

Vendor	Product	Versions
gitlab	gitlab	18.2, 18.9, 18.10, 18.8.8, 18.9.4, 18.10.2

References

https://hackerone.com/reports/3301240(technical-description, exploit, permissions-required)
https://gitlab.com/gitlab-org/gitlab/-/work_items/565414
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/

Related News (1 articles)

Tier C

VulDB1h ago

CVE-2026-4916 | GitLab Community Edition/Enterprise Edition up to 18.8.8/18.9.4/18.10.2 Group Member authorization

→ No new info (linked only)

CVSS 3.12.7 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

18.8.918.9.518.10.3

CWECWE-862

PublishedApr 8, 2026

Last enriched44m agov2

Trending Score23

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-5173EXP

Exposed Dangerous Method or Function in GitLab

CRITICALCVE-2026-1516EXP

Improper Control of Generation of Code ('Code Injection') in GitLab

CRITICALCVE-2025-12664EXP

Improper Validation of Specified Quantity in Input in GitLab

HIGHCVE-2026-2104EXP

Authorization Bypass Through User-Controlled Key in GitLab

HIGHCVE-2026-1752

Incorrect Authorization in GitLab

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Patch Available

Apr 8, 2026

Updated: affectedVersions, severity

Apr 9, 2026

Version History

v2

Last enriched 44m ago

v2Tier C44m ago

Updated affected versions to include 18.8.8, 18.9.4, and 18.10.2, changed severity to MEDIUM, and noted that no exploit exists.

affectedVersionsseverity

via VulDB

v12h ago

Initial creation