CVE-2026-6277 — Incorrect Authorization in GitLab

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement.

How to fix CVE-2026-6277

To remediate CVE-2026-6277, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 18.10.8 or later

Is CVE-2026-6277 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-6277.

Affected packages (1)

>= 13.9.0, < 18.10.8, >= 18.11.0, < 18.11.5, >= 19.0.0, < 19.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References (4)

WEBabout.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/
WEBgitlab.com/gitlab-org/gitlab/-/work_items/596656
WEBhackerone.com/reports/3662615
WEBnvd.nist.gov/vuln/detail/CVE-2026-6277