CVE-2026-4868

HIGH severity · CVSS 8.2 · Authorization bypass

8.2CVSS HIGH

Summary

GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to improper user identity resolution when triggering Duo AI workflow runners.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Affected products we track (1)

GitLab

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
https://about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/Advisory
https://gitlab.com/gitlab-org/gitlab/-/work_items/594809
https://hackerone.com/reports/3619872