CVE-2026-6552 | GitLab has remediated an issue in GitLab EE affecting all ve… | CVSS 8.7 HIGH

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member's GitLab account due to improper authorization in the Group SAML identity management functionality.

Metadata

CVE ID: CVE-2026-6552
State: PUBLISHED
Assigner: GitLab
Reserved: 2026-04-17 21:34 UTC
Published: 2026-06-11 10:20 UTC
Last updated: 2026-06-12 03:55 UTC
Primary CWE: CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product: GitLab / GitLab
Sources: cve.org · NVD

Severity & Metrics

8.7 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
GitLab	GitLab	—	15.5 < 18.10.8, 18.11 < 18.11.5, 19.0 < 19.0.2

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639: Authorization Bypass Through User-Controlled Key

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.7	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

References (3)

https://gitlab.com/gitlab-org/gitlab/-/work_items/597295
HackerOne Bug Bounty Report #3655189 https://hackerone.com/reports/3655189
https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/