CVE-2026-9807 GitLab CVE debrief

Who should care

GitLab administrators managing self-hosted CE/EE instances, DevOps security teams, and organizations relying on Project Access Tokens for CI/CD or API access should prioritize patching. Security teams should audit token lifecycle management and verify that blocking operations properly invalidate access.

Technical summary

The vulnerability stems from incorrect authorization enforcement in GitLab's Project Access Token handling. When a Project Access Token was blocked, the authorization check failed to immediately terminate active sessions or cached permissions, allowing continued access to private resources. The flaw is classified as CWE-863 (Incorrect Authorization) with a CVSS 3.1 score of 4.3 (Medium). Attack prerequisites require low-privileged network access and an existing (but blocked) valid token. The confidentiality impact is limited (C:L) with no integrity or availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade GitLab CE/EE to patched versions: 18.10.7, 18.11.4, or 19.0.1 or later
• Review and rotate Project Access Tokens, especially any tokens that were blocked but may have shown continued activity
• Audit access logs for private resources for unauthorized access patterns from May 2026 backwards
• Verify token revocation workflows are functioning correctly after patching
• For environments where immediate patching is not feasible, consider additional monitoring on private repository access and token usage patterns

Evidence notes

The vulnerability description and affected version ranges are sourced from the official CVE record and GitLab's security release notes. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms network accessibility with low privileges required. CWE-863 classification indicates an authorization logic error. The HackerOne report reference confirms responsible disclosure through GitLab's bug bounty program.

Official resources