Skip to main content
CVE Vulnerability Database

CVE-2026-5952: GitLab Auth Bypass Vulnerability

CVE-2026-5952 is an authentication bypass flaw in GitLab CE/EE that allows developers to overwrite protected Maven package metadata. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-5952 Overview

CVE-2026-5952 is an authorization bypass vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw allows an authenticated user holding developer-role permissions to bypass package protection rules. Under specific conditions, attackers can overwrite protected Maven package metadata due to incorrect authorization checks [CWE-863]. The issue affects all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. GitLab has released patches across all affected branches.

Critical Impact

Authenticated developers can overwrite protected Maven package metadata, enabling supply chain tampering within GitLab package registries.

Affected Products

  • GitLab CE/EE versions 17.11 through 18.11.5
  • GitLab CE/EE versions 19.0 through 19.0.2
  • GitLab CE/EE versions 19.1 through 19.1.0

Discovery Timeline

  • 2026-06-25 - CVE-2026-5952 published to NVD
  • 2026-06-25 - Last updated in NVD database

Technical Details for CVE-2026-5952

Vulnerability Analysis

The vulnerability resides in GitLab's package protection rule enforcement logic for the Maven package registry. Package protection rules are intended to prevent users below a defined role from creating or modifying protected packages. The authorization layer fails to correctly evaluate developer-role permissions when handling Maven package metadata write operations. This results in incorrect authorization decisions categorized under [CWE-863].

An authenticated attacker with developer-role access can issue requests that should be rejected by the protection policy. Instead, the server processes the operation and permits modification of protected Maven metadata. Consequences include tampering with package coordinates, versions, or checksum references that downstream consumers rely on. This creates a viable path for internal supply chain manipulation within affected GitLab instances.

Root Cause

The root cause is an incorrect authorization check in the Maven package metadata handler. The code path responsible for enforcing package protection rules does not properly validate the acting user's role against the configured minimum access level. Developer-role tokens that should fail the protection check pass through to the write operation.

Attack Vector

Exploitation requires network access to the GitLab instance and authenticated developer-role credentials on a project that has Maven package protection rules configured. The attacker issues an authenticated request targeting protected Maven package metadata. No user interaction or elevated privileges are needed beyond developer access. Verified technical details are available in the GitLab Work Item Overview and HackerOne Security Report #3632428.

Detection Methods for CVE-2026-5952

Indicators of Compromise

  • Unexpected modifications to Maven package metadata files in protected packages, particularly changes initiated by developer-role accounts.
  • Audit log entries showing successful package metadata writes from users whose role is below the configured package protection threshold.
  • Anomalous version overwrites or checksum changes on packages classified as protected in the GitLab package registry.

Detection Strategies

  • Review GitLab audit events for package_registry and packages_maven write actions performed by non-maintainer accounts.
  • Correlate GitLab API access logs with project package protection rule configurations to identify writes that should have been blocked.
  • Establish baselines of expected Maven publishers per project and alert on deviations.

Monitoring Recommendations

  • Forward GitLab application logs, audit events, and Rails production logs to a centralized analytics platform for retention and correlation.
  • Monitor PUT and POST requests against /api/v4/projects/*/packages/maven/* endpoints originating from developer-role tokens.
  • Track changes to package protection rule definitions and alert on disablement or scope reductions.

How to Mitigate CVE-2026-5952

Immediate Actions Required

  • Upgrade GitLab CE/EE to version 18.11.6, 19.0.3, or 19.1.1 depending on your current release branch.
  • Audit all Maven packages in projects with active package protection rules to identify unauthorized metadata changes.
  • Review developer-role membership across projects that publish protected Maven packages and revoke unnecessary access.

Patch Information

GitLab released fixed versions 18.11.6, 19.0.3, and 19.1.1 that remediate the incorrect authorization check. Administrators should follow the upgrade instructions in the GitLab Patch Release Note. Self-managed GitLab instances must be upgraded directly, while GitLab.com is patched by GitLab.

Workarounds

  • Temporarily restrict developer-role membership on projects that host protected Maven packages until patches are applied.
  • Increase the minimum role required by package protection rules to maintainer where operationally feasible.
  • Disable Maven package publishing on sensitive projects until the upgrade is completed.
bash
# Verify installed GitLab version after upgrade
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5

# Example: enforce stricter package protection rule via API
curl --request POST --header "PRIVATE-TOKEN: <token>" \
  --header "Content-Type: application/json" \
  --data '{"package_name_pattern":"com.example.*","package_type":"maven","minimum_access_level_for_push":"maintainer"}' \
  "https://gitlab.example.com/api/v4/projects/<id>/packages/protection/rules"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.