CVE-2026-5952 Overview
CVE-2026-5952 is an authorization bypass vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw allows an authenticated user holding developer-role permissions to bypass package protection rules. Under specific conditions, attackers can overwrite protected Maven package metadata due to incorrect authorization checks [CWE-863]. The issue affects all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. GitLab has released patches across all affected branches.
Critical Impact
Authenticated developers can overwrite protected Maven package metadata, enabling supply chain tampering within GitLab package registries.
Affected Products
- GitLab CE/EE versions 17.11 through 18.11.5
- GitLab CE/EE versions 19.0 through 19.0.2
- GitLab CE/EE versions 19.1 through 19.1.0
Discovery Timeline
- 2026-06-25 - CVE-2026-5952 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-5952
Vulnerability Analysis
The vulnerability resides in GitLab's package protection rule enforcement logic for the Maven package registry. Package protection rules are intended to prevent users below a defined role from creating or modifying protected packages. The authorization layer fails to correctly evaluate developer-role permissions when handling Maven package metadata write operations. This results in incorrect authorization decisions categorized under [CWE-863].
An authenticated attacker with developer-role access can issue requests that should be rejected by the protection policy. Instead, the server processes the operation and permits modification of protected Maven metadata. Consequences include tampering with package coordinates, versions, or checksum references that downstream consumers rely on. This creates a viable path for internal supply chain manipulation within affected GitLab instances.
Root Cause
The root cause is an incorrect authorization check in the Maven package metadata handler. The code path responsible for enforcing package protection rules does not properly validate the acting user's role against the configured minimum access level. Developer-role tokens that should fail the protection check pass through to the write operation.
Attack Vector
Exploitation requires network access to the GitLab instance and authenticated developer-role credentials on a project that has Maven package protection rules configured. The attacker issues an authenticated request targeting protected Maven package metadata. No user interaction or elevated privileges are needed beyond developer access. Verified technical details are available in the GitLab Work Item Overview and HackerOne Security Report #3632428.
Detection Methods for CVE-2026-5952
Indicators of Compromise
- Unexpected modifications to Maven package metadata files in protected packages, particularly changes initiated by developer-role accounts.
- Audit log entries showing successful package metadata writes from users whose role is below the configured package protection threshold.
- Anomalous version overwrites or checksum changes on packages classified as protected in the GitLab package registry.
Detection Strategies
- Review GitLab audit events for package_registry and packages_maven write actions performed by non-maintainer accounts.
- Correlate GitLab API access logs with project package protection rule configurations to identify writes that should have been blocked.
- Establish baselines of expected Maven publishers per project and alert on deviations.
Monitoring Recommendations
- Forward GitLab application logs, audit events, and Rails production logs to a centralized analytics platform for retention and correlation.
- Monitor PUT and POST requests against /api/v4/projects/*/packages/maven/* endpoints originating from developer-role tokens.
- Track changes to package protection rule definitions and alert on disablement or scope reductions.
How to Mitigate CVE-2026-5952
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.11.6, 19.0.3, or 19.1.1 depending on your current release branch.
- Audit all Maven packages in projects with active package protection rules to identify unauthorized metadata changes.
- Review developer-role membership across projects that publish protected Maven packages and revoke unnecessary access.
Patch Information
GitLab released fixed versions 18.11.6, 19.0.3, and 19.1.1 that remediate the incorrect authorization check. Administrators should follow the upgrade instructions in the GitLab Patch Release Note. Self-managed GitLab instances must be upgraded directly, while GitLab.com is patched by GitLab.
Workarounds
- Temporarily restrict developer-role membership on projects that host protected Maven packages until patches are applied.
- Increase the minimum role required by package protection rules to maintainer where operationally feasible.
- Disable Maven package publishing on sensitive projects until the upgrade is completed.
# Verify installed GitLab version after upgrade
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
# Example: enforce stricter package protection rule via API
curl --request POST --header "PRIVATE-TOKEN: <token>" \
--header "Content-Type: application/json" \
--data '{"package_name_pattern":"com.example.*","package_type":"maven","minimum_access_level_for_push":"maintainer"}' \
"https://gitlab.example.com/api/v4/projects/<id>/packages/protection/rules"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

