PT-2026-44068 · Gitlab · Gitlab Ce/Ee

Published

2026-05-27

Updated

2026-05-30

CVE-2026-4868

CVSS v3.1

8.2

High

Vector

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions GitLab EE versions 18.8 through 18.10.6 GitLab EE versions 18.11 through 18.11.3 GitLab EE versions 19.0 through 19.0.0

Description An issue in the authorization mechanism of Duo AI workflow runners allows an authenticated user to bypass authorization using a user-controlled key. This improper user identity resolution when triggering Duo AI workflow runners could allow specific Duo AI workflows to run under another user's identity, potentially impacting the confidentiality and integrity of protected information.

Recommendations Update to version 18.10.7 for those on the 18.8 through 18.10.6 range. Update to version 18.11.4 for those on the 18.11 through 18.11.3 range. Update to version 19.0.1 for those on the 19.0 through 19.0.0 range.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

BDU:2026-07488

BIT-GITLAB-2026-4868

CVE-2026-4868

Affected Products

Gitlab Ce/Ee

PT-2026-44068 · Gitlab · Gitlab Ce/Ee

CVE-2026-4868

Weakness Enumeration

Related Identifiers

Affected Products

References · 13