CVE-2026-3607 Overview
GitLab patched an improper access control flaw in GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability affects all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. An authenticated user holding developer-role permissions can bypass package protection rules and perform actions that should be restricted to higher-privileged roles. The issue is tracked under CWE-1280: Improper Validation of Specified Quantity in Input and was disclosed through a HackerOne Report #3586233.
Critical Impact
Authenticated developers can circumvent package protection rules, undermining repository governance controls that enforce who can publish or modify protected packages.
Affected Products
- GitLab CE/EE versions 18.3 through 18.9.6
- GitLab CE/EE versions 18.10 through 18.10.5
- GitLab CE/EE versions 18.11 through 18.11.2
Discovery Timeline
- 2026-05-13 - GitLab releases patched versions 18.9.7, 18.10.6, and 18.11.3
- 2026-05-14 - CVE-2026-3607 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-3607
Vulnerability Analysis
The vulnerability is a Broken Access Control flaw in GitLab's package registry. Package protection rules let project maintainers restrict which roles can publish, update, or delete specific package names and patterns. The protection layer is intended to prevent lower-privileged accounts from tampering with critical packages used by downstream consumers.
The access control check applied to package operations does not correctly evaluate the developer-role context against the configured protection rules. As a result, a user with only developer permissions can perform package operations that should require maintainer or owner role privileges. The attack requires authentication and low privileges over the network, with limited integrity impact and no confidentiality or availability impact.
Root Cause
The root cause is an improper access control check in the package protection rule enforcement logic. The server-side authorization layer does not consistently apply protection rules to all package operation pathways available to developer-role users. See the GitLab Work Item Details for upstream tracking.
Attack Vector
An attacker must hold a valid GitLab account with developer-role membership in the target project. Using authenticated API calls or the standard package publishing interface, the attacker performs package operations that should be blocked by protection rules. No user interaction is required, and the attack succeeds over the network with low complexity. The integrity impact is limited to package content governance rather than full repository compromise.
No verified public exploit code is available. Technical details are described in the HackerOne Report #3586233.
Detection Methods for CVE-2026-3607
Indicators of Compromise
- Package registry events showing creation, update, or deletion of protected packages by users with only developer-role membership.
- API audit log entries against /api/v4/projects/:id/packages endpoints from developer accounts that should be blocked by active protection rules.
- Unexpected version changes or new package uploads matching patterns covered by package protection rules.
Detection Strategies
- Compare GitLab audit events for package operations against the project's configured package protection rules and flag mismatches.
- Alert on package publish or delete operations performed by accounts whose role is below the minimum role configured in the protection rule.
- Baseline normal publishing behavior per developer and detect deviations such as first-time publication of protected package names.
Monitoring Recommendations
- Forward GitLab audit JSON logs and package registry events to a centralized log platform for correlation with role assignments.
- Track project membership changes to identify newly added developer accounts that subsequently interact with protected packages.
- Review CI/CD job tokens scoped to developer-role users that publish to the package registry.
How to Mitigate CVE-2026-3607
Immediate Actions Required
- Upgrade self-managed GitLab CE/EE instances to 18.9.7, 18.10.6, or 18.11.3 depending on the deployed branch.
- Audit recent package registry activity for any operations on protected packages performed by developer-role accounts since the affected versions were installed.
- Review and tighten project membership, removing developer-role access from users who do not require package publishing rights.
Patch Information
GitLab addressed the issue in versions 18.9.7, 18.10.6, and 18.11.3, released on May 13, 2026. Patch details and upgrade instructions are available in the GitLab Patch Release Announcement. GitLab.com is already running the patched version.
Workarounds
- Restrict developer-role membership on projects where package protection rules are critical until the upgrade is applied.
- Where feasible, route package publishing through dedicated service accounts with maintainer privileges and remove direct developer publishing paths.
- Increase logging and review cadence for package registry operations until the patched version is deployed.
# Verify installed GitLab version on a self-managed instance
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
# Debian/Ubuntu upgrade example to the 18.11 patched branch
sudo apt-get update && sudo apt-get install gitlab-ee=18.11.3-ee.0
# RHEL/CentOS upgrade example
sudo yum install gitlab-ee-18.11.3-ee.0.el8.x86_64
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
