CVE-2026-6063 Overview
CVE-2026-6063 is an improper access control vulnerability in GitLab Enterprise Edition (EE) that allows authenticated users with developer-role permissions to remove code owner approval rules from merge requests. The flaw affects all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. GitLab remediated the issue in the 18.11.3 patch release. The vulnerability is classified under [CWE-639] (Authorization Bypass Through User-Controlled Key) and requires authenticated network access with low privileges.
Critical Impact
Authenticated developers can bypass code owner approval requirements on merge requests, undermining mandatory review controls protecting sensitive code paths.
Affected Products
- GitLab EE versions 11.10 through 18.9.6
- GitLab EE versions 18.10 through 18.10.5
- GitLab EE versions 18.11 through 18.11.2
Discovery Timeline
- 2026-05-13 - GitLab releases patch versions 18.9.7, 18.10.6, and 18.11.3
- 2026-05-14 - CVE-2026-6063 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6063
Vulnerability Analysis
The vulnerability resides in GitLab EE's merge request approval enforcement logic. Code owner approval rules enforce that designated reviewers approve changes to specific files or directories before a merge request can be merged. Under certain conditions, an authenticated user with developer-role permissions can remove these approval rules from a merge request. The action bypasses the authorization checks intended to restrict approval-rule modification to maintainers or higher-privileged roles.
The attack requires network access and an authenticated session, but no user interaction. Successful exploitation does not disclose data or impact availability. The integrity impact stems from the ability to circumvent mandatory review controls on protected code paths.
Root Cause
The root cause is improper access control on the API and UI endpoints responsible for modifying merge request approval rules. The authorization logic did not consistently enforce role requirements when removing code owner approval entries, classifying the issue under [CWE-639]. See the GitLab Patch Release Announcement for technical context.
Attack Vector
An attacker authenticates as a developer in a GitLab EE project that uses code owner approval rules. The attacker opens a merge request containing changes to files protected by code owner rules. Through the affected approval-rule modification interface, the attacker removes the code owner approval requirement and merges the change without the expected reviewer sign-off. Additional technical details are tracked in GitLab Work Item #596332 and HackerOne Report #3649087.
Detection Methods for CVE-2026-6063
Indicators of Compromise
- Merge requests merged into protected branches without expected code owner approvals recorded in the audit log
- Audit events showing removal or modification of approval_rules on open merge requests by developer-role users
- Unexpected changes to files governed by CODEOWNERS entries that lack corresponding approval records
Detection Strategies
- Review GitLab audit events for approval_rule deletion or modification actions performed by users without maintainer or owner roles
- Correlate merge request merge events with the presence of required code owner approvals using the GitLab API
- Alert on merges to protected branches where the merging user matches the merge request author and code owner rules were modified in-flight
Monitoring Recommendations
- Forward GitLab audit logs and merge request events to a centralized log platform for retention and correlation
- Establish a baseline of approval-rule modifications per project to detect anomalous removal patterns
- Periodically reconcile CODEOWNERS policy with merged commits to identify policy bypass
How to Mitigate CVE-2026-6063
Immediate Actions Required
- Upgrade GitLab EE to version 18.9.7, 18.10.6, or 18.11.3 as appropriate for your release branch
- Audit merge requests merged since the affected versions were deployed for missing code owner approvals
- Restrict developer-role assignments on projects containing sensitive code paths until patching is complete
Patch Information
GitLab addressed the issue in the patch release announced on 2026-05-13. Upgrade to GitLab EE 18.9.7, 18.10.6, or 18.11.3. Refer to the GitLab Patch Release Announcement for the full advisory and upgrade instructions.
Workarounds
- Enforce protected branch rules that require maintainer approval in addition to code owner approval where feasible
- Limit developer-role membership on projects with strict review requirements until upgrades are deployed
- Enable required audit log review for approval_rule modification events on critical repositories
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
