PatchSiren cyber security CVE debrief
CVE-2026-5296 GitLab CVE debrief
GitLab Enterprise Edition (EE) contains an authorization bypass vulnerability affecting the foundational flows feature. When foundational flows are enabled at the group level, an authenticated user with Developer role permissions can bypass flow restrictions under specific conditions. The vulnerability stems from missing authorization checks (CWE-862) in the flow enforcement logic. This is rated MEDIUM severity with a CVSS 3.1 score of 4.3, reflecting the authenticated nature of the attack and limited impact scope. The issue was reported through HackerOne and has been remediated in patched versions. No known exploitation in the wild has been reported, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- GitLab
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running GitLab Enterprise Edition with foundational flows enabled at the group level, particularly those with strict compliance requirements for development workflows. Security teams responsible for access control validation and DevSecOps pipeline integrity should prioritize verification of flow enforcement after patching.
Technical summary
The vulnerability exists in GitLab EE's foundational flows feature, which allows organizations to define and enforce standardized workflows across projects. When enabled at the group level, the implementation fails to properly validate that flow restrictions apply to all users with Developer permissions. An authenticated attacker with Developer role access can exploit this missing authorization check to circumvent configured flow restrictions. The attack requires network access to the GitLab instance and valid Developer credentials, but does not require user interaction. Successful exploitation results in integrity impact only—attackers can bypass workflow controls but cannot read unauthorized data or cause denial of service. The vulnerability is confined to the specific feature and does not affect broader GitLab access controls.
Defensive priority
medium
Recommended defensive actions
- Upgrade GitLab EE to version 18.10.7, 18.11.4, or 19.0.1 or later
- Review group-level foundational flows configurations for unauthorized modifications
- Audit project access logs for unusual Developer role activity in environments with foundational flows enabled
- Verify that flow restrictions are properly enforced after patching
- If immediate patching is not possible, consider disabling foundational flows at the group level as a temporary mitigation
Evidence notes
The vulnerability affects GitLab EE versions 18.7.0 through 18.10.6, 18.11.0 through 18.11.3, and version 19.0.0. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and low integrity impact with no confidentiality or availability impact. The weakness is classified as CWE-862 (Missing Authorization). One reference link (GitLab work item 595423) is marked as broken in the source data.
Official resources
-
CVE-2026-5296 CVE record
CVE.org
-
CVE-2026-5296 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
-
Source reference
[email protected] - Broken Link
-
Source reference
[email protected] - Permissions Required
GitLab disclosed this vulnerability on 2026-05-27 via coordinated disclosure through their security advisory and patch release process. The issue was originally reported via HackerOne.