Skip to main content
CVE Vulnerability Database

CVE-2026-5796: GitLab Auth Bypass Vulnerability

CVE-2026-5796 is an authorization bypass flaw in GitLab CE/EE allowing Reporter-level users to view package metadata from projects with disabled Package Registry. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-5796 Overview

CVE-2026-5796 is an authorization bypass vulnerability [CWE-863] affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw resides in the group packages feature, where incorrect authorization checks allow authenticated users with Reporter-level group permissions to view package metadata from projects that have the Package Registry explicitly disabled. The vulnerability affects GitLab CE/EE versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. GitLab has remediated the issue in patch releases.

Critical Impact

Authenticated Reporter-level users can view package metadata from projects where the Package Registry is disabled, leading to unintended exposure of project information.

Affected Products

  • GitLab CE/EE versions 13.6 through 18.11.5
  • GitLab CE/EE versions 19.0 through 19.0.2
  • GitLab CE/EE versions 19.1 through 19.1.0

Discovery Timeline

  • 2026-06-25 - CVE-2026-5796 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-5796

Vulnerability Analysis

The vulnerability stems from incorrect authorization checks within GitLab's group packages feature. When a user with Reporter-level group permissions queries package data at the group level, GitLab fails to properly verify whether the Package Registry feature is enabled on the underlying projects. As a result, the system returns metadata for packages belonging to projects where administrators have explicitly disabled the Package Registry.

The issue is classified under [CWE-863] (Incorrect Authorization). Authorization enforcement should validate both the user's role and the feature-level access settings on each child project. GitLab's group-level package aggregation logic bypasses the project-level feature flag check, returning data that should be inaccessible.

Exploitation requires network access to the GitLab instance and authentication as a user with at least Reporter-level permissions on the target group. No user interaction is required, and the attack complexity is low. The impact is limited to confidentiality of package metadata, with no integrity or availability consequences.

Root Cause

The root cause is missing project-level feature gating in the group packages endpoint. The group-scoped query aggregates package data across child projects without re-evaluating whether each project's Package Registry is enabled. This breaks the security boundary that administrators expect when disabling the Package Registry at the project level.

Attack Vector

An authenticated attacker holding Reporter permissions on a group sends a request to the group packages endpoint. The response includes metadata for packages in child projects where the Package Registry has been disabled. Reference the GitLab Work Item Details and HackerOne Security Report #3646902 for additional technical context.

Detection Methods for CVE-2026-5796

Indicators of Compromise

  • Audit log entries showing group-level package API requests originating from Reporter-level accounts targeting groups containing projects with the Package Registry disabled.
  • Repeated GET requests to /api/v4/groups/:id/packages endpoints from accounts that lack Developer or higher permissions on individual projects.
  • Unusual enumeration patterns of package metadata across multiple projects within a group by a single authenticated user.

Detection Strategies

  • Review GitLab audit events for access to group package endpoints and correlate with project-level Package Registry configuration to identify access patterns inconsistent with intended permissions.
  • Compare access logs against project settings to flag any user retrieving package metadata from a project where the Package Registry is disabled.
  • Monitor for accounts that systematically query group-level package APIs without corresponding project-level activity.

Monitoring Recommendations

  • Enable GitLab's audit event streaming and forward API access logs to a centralized analytics platform for correlation with project configuration state.
  • Configure alerts for sustained or high-volume queries to the group packages API by lower-privileged users.
  • Track changes to Package Registry feature flags and correlate with subsequent group-level package queries to detect post-disablement access attempts.

How to Mitigate CVE-2026-5796

Immediate Actions Required

  • Upgrade GitLab CE/EE to version 18.11.6, 19.0.3, or 19.1.1 or later, depending on your current major version branch.
  • Audit Reporter-level memberships across groups containing projects with the Package Registry disabled and revoke unnecessary access.
  • Review recent group-level package API access logs to identify any unauthorized metadata exposure.

Patch Information

GitLab has released fixed versions 18.11.6, 19.0.3, and 19.1.1 that correct the authorization checks in the group packages feature. Consult the GitLab Patch Release Notes for upgrade instructions and full advisory details.

Workarounds

  • Restrict Reporter-level access on groups containing sensitive projects until the upgrade is applied.
  • Remove or relocate sensitive projects from shared groups where lower-privileged users hold Reporter access.
  • Treat package metadata in affected projects as exposed until logs confirm no unauthorized access occurred.
bash
# Verify installed GitLab version and upgrade via package manager
sudo gitlab-rake gitlab:env:info | grep Version
sudo apt-get update && sudo apt-get install gitlab-ee=19.1.1-ee.0
sudo gitlab-ctl reconfigure

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.