CVE-2026-4868
HIGH
8,2
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: none
Description
AI Translation Available
GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to improper user identity resolution when triggering Duo AI workflow runners.
639
Authorization Bypass Through User-Controlled Key
IncompleteCommon Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Gain Privileges Or Assume Identity
Applicable Platforms
All platforms may be affected
Application
Gitlab by Gitlab
CPE Identifier
View Detailed Analysis
cpe:2.3:a:gitlab:gitlab:19.0.0:*:*:*:enterprise:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Gitlab by Gitlab
Version Range Affected
From
18.8.0
(inclusive)
To
18.10.7
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Gitlab by Gitlab
Version Range Affected
From
18.11.0
(inclusive)
To
18.11.4
(exclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-releas…
https://gitlab.com/gitlab-org/gitlab/-/work_items/594809
https://hackerone.com/reports/3619872