PatchSiren cyber security CVE debrief
CVE-2026-2900 GitLab CVE debrief
A low-severity vulnerability was discovered in GitLab EE, affecting versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. The issue allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks when instance-level approval rule editing prevention was enabled.
- Vendor
- GitLab
- Product
- Unknown
- CVSS
- LOW 2.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-05-14
Who should care
Administrators and users of GitLab EE versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 should be aware of this vulnerability and take necessary actions to remediate it.
Technical summary
The vulnerability has a CVSS score of 2.7 and is classified as LOW severity. It is related to missing authorization checks (CWE-862) and can be exploited by an authenticated user with Maintainer permissions.
Defensive priority
LOW
Recommended defensive actions
- Update to a patched version of GitLab EE (18.9.7, 18.10.6, or 18.11.3) to remediate the vulnerability.
- Review and adjust instance-level approval rule editing prevention settings to ensure proper authorization checks are in place.
Evidence notes
The vulnerability was reported through HackerOne and remediated by GitLab.
Official resources
-
CVE-2026-2900 CVE record
CVE.org
-
CVE-2026-2900 NVD detail
NVD
-
Source item URL
github_advisory_database
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
public