CVE-2026-1338 Hackerone CVE debrief

Who should care

GitLab administrators and platform owners running CE/EE, especially environments that rely on protected container registry tags and delegate developer-role access to users or teams.

Technical summary

The vulnerability is described as an authorization bypass (CWE-639) affecting protected container registry tags in GitLab CE/EE. An authenticated user with developer-role permissions could delete tags that should have been protected, indicating insufficient authorization enforcement around tag deletion actions. The advisory lists no confidentiality or availability impact, with the primary impact being integrity.

Defensive priority

Medium. This is not marked as KEV and the reported impact is limited to integrity, but it affects common GitLab deployment patterns where registry tag protection is used to preserve release artifacts.

Recommended defensive actions

• Upgrade GitLab CE/EE to a fixed release: 18.9.7 or later, 18.10.6 or later, or 18.11.3 or later, depending on your branch.
• Confirm that protected container registry tag rules are enabled and still aligned with your access-control model.
• Review developer-role assignments for GitLab instances that expose container registry management to multiple users.
• Audit recent container registry tag deletion activity and investigate any unexpected deletions.
• Track the GitLab patch release advisory and related reference items for any follow-up guidance.

Evidence notes

The debrief is based on the GitHub Advisory Database entry for GHSA-8h74-p4xx-m53m, which cites the NVD record, a HackerOne report (3480620), the GitLab 18.11.3 patch-release announcement, and a GitLab work item. The source item is marked advisoryType=unreviewed, so claims are limited to the advisory text and referenced records.

Official resources