CVE-2026-6352 Overview
CVE-2026-6352 is an improper authorization vulnerability in GitLab Enterprise Edition (EE). The flaw allows an authenticated user with auditor-level access to modify compliance violation records through certain GraphQL operations. The issue affects GitLab EE versions 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2. Auditor accounts are intended to have read-only visibility into compliance data, so this authorization gap breaks the integrity boundary between audit and administrative roles. The vulnerability maps to CWE-863: Incorrect Authorization.
Critical Impact
An authenticated auditor can tamper with compliance violation records, undermining the integrity of GitLab's compliance and audit trail.
Affected Products
- GitLab EE 18.2 through versions before 18.11.7
- GitLab EE 19.0 through versions before 19.0.4
- GitLab EE 19.1 through versions before 19.1.2
Discovery Timeline
- 2026-07-08 - CVE-2026-6352 published to the National Vulnerability Database (NVD)
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-6352
Vulnerability Analysis
The vulnerability resides in GitLab EE's GraphQL API layer, specifically in operations that handle compliance violation records. Authorization checks on these mutations fail to properly enforce role boundaries for the auditor role. Auditor accounts are designed as read-only observers for governance and audit workflows. In affected versions, the missing authorization check allows these accounts to invoke mutations that modify compliance violation data.
Exploitation requires an authenticated session with auditor-level privileges, so the attack surface is limited to insiders or attackers who have already compromised such an account. Successful exploitation compromises the integrity of compliance evidence, which can conceal policy violations or misrepresent an organization's compliance posture. Confidentiality and availability are not directly affected.
Root Cause
The root cause is missing or incomplete authorization logic on specific GraphQL mutations related to compliance violations. The resolver code did not verify that the requesting user held a role permitted to modify the target records. Auditor tokens, which should be limited to read scopes on compliance objects, were accepted for write operations. This is a classic incorrect authorization defect classified under CWE-863.
Attack Vector
The attack is network-based and requires authentication. An attacker with valid auditor credentials, or a personal access token bound to an auditor account, sends a crafted GraphQL mutation to the GitLab instance targeting compliance violation records. No user interaction is required, and the request executes with the same trust as any legitimate API call from that account. Technical details are tracked in the GitLab Work Item and the HackerOne Security Report.
Detection Methods for CVE-2026-6352
Indicators of Compromise
- Unexpected GraphQL mutations against compliance violation objects originating from accounts with the Auditor role.
- Audit log entries showing modifications to compliance violation records without a corresponding administrator action.
- Compliance dashboards showing state transitions on violation records that cannot be traced to a policy owner.
Detection Strategies
- Review GitLab production_json.log and graphql_json.log for mutation operations targeting compliance violation types executed by auditor accounts.
- Correlate GitLab audit events for compliance record changes against the acting user's role assignment at the time of the change.
- Baseline normal GraphQL usage per auditor account and alert on any write-class mutation, since auditors should only issue read queries.
Monitoring Recommendations
- Forward GitLab application and audit logs to a centralized log platform and retain them for the duration required by your compliance program.
- Alert on any compliance record mutation where the actor's role is Auditor.
- Periodically reconcile compliance violation records against an out-of-band export to identify silent tampering.
How to Mitigate CVE-2026-6352
Immediate Actions Required
- Upgrade GitLab EE to 18.11.7, 19.0.4, or 19.1.2, matching the branch currently deployed.
- Audit all accounts assigned the Auditor role and revoke access that is no longer required.
- Rotate personal access tokens tied to auditor accounts to invalidate any credentials that may have been abused.
- Review compliance violation records for unauthorized changes since the affected versions were deployed.
Patch Information
GitLab addressed the issue in EE versions 18.11.7, 19.0.4, and 19.1.2. See the GitLab Patch Release Notes for full release details and upgrade guidance.
Workarounds
- If immediate patching is not possible, remove the Auditor role from accounts that do not strictly require it until the upgrade is applied.
- Restrict network access to the GitLab GraphQL endpoint to trusted management networks to limit exposure of authenticated APIs.
- Increase logging verbosity for GraphQL mutations and review activity from auditor accounts daily until the patched version is deployed.
# Example: upgrade an Omnibus GitLab EE instance on Debian/Ubuntu
sudo apt-get update
sudo apt-get install gitlab-ee=19.1.2-ee.0
sudo gitlab-ctl reconfigure
sudo gitlab-rake gitlab:check SANITIZE=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

