CVE-2026-5309 | GitLab has remediated an issue in GitLab EE affecting all ve… | CVSS 5.4 MEDIUM

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to read or modify another group's virtual registry cleanup policy settings without authorization.

Metadata

CVE ID: CVE-2026-5309
State: PUBLISHED
Assigner: GitLab
Reserved: 2026-04-01 11:33 UTC
Published: 2026-06-25 04:34 UTC
Last updated: 2026-06-25 04:34 UTC
Primary CWE: CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product: GitLab / GitLab
Sources: cve.org · NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
GitLab	GitLab	—	18.6 < 18.11.6, 19.0 < 19.0.3, 19.1 < 19.1.1

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639: Authorization Bypass Through User-Controlled Key

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (3)

https://gitlab.com/gitlab-org/gitlab/-/work_items/595468
HackerOne Bug Bounty Report #3628793 https://hackerone.com/reports/3628793
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/