CVE-2026-1751 – This vulnerability in GitLab CE/EE allows unaut... (How to Fix)

Q: What is the severity of CVE-2026-1751?

CVE-2026-1751 has a CVSS score of 3.1 (LOW). This vulnerability in GitLab CE/EE allows unauthorized users to edit merge request approval rules under specific conditions. It affects all GitLab instances running versions 16.8 through 18.4.x. The issue could allow attackers to bypass intended approval workflows.

📋 TL;DR

This vulnerability in GitLab CE/EE allows unauthorized users to edit merge request approval rules under specific conditions. It affects all GitLab instances running versions 16.8 through 18.4.x. The issue could allow attackers to bypass intended approval workflows.

💻 Affected Systems

Products:

GitLab Community Edition
GitLab Enterprise Edition

Versions: 16.8.0 through 18.4.x

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments within the version range regardless of configuration.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify approval rules to bypass critical security gates, allowing unauthorized code changes to be merged into production without proper review.

🟠

Likely Case

Unauthorized users could alter approval requirements for merge requests, potentially allowing code changes to bypass required approvals.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to potential workflow disruption rather than direct code compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires specific conditions and some level of access to the GitLab instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.5.0 and later

Vendor Advisory: https://gitlab.com/gitlab-org/gitlab/-/issues/519340

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab 18.5.0 or later using your preferred update method. 3. Restart GitLab services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict merge request access

all

Temporarily limit who can create or modify merge requests and approval rules.

🧯 If You Can't Patch

Implement strict access controls on merge request creation and modification
Enable enhanced logging and monitoring for approval rule changes

🔍 How to Verify

Check if Vulnerable:

Check GitLab version via admin interface or run: sudo gitlab-rake gitlab:env:info | grep Version

Check Version:

sudo gitlab-rake gitlab:env:info | grep Version

Verify Fix Applied:

Confirm version is 18.5.0 or later and test that unauthorized users cannot modify approval rules.

📡 Detection & Monitoring

Log Indicators:

Unauthorized attempts to modify approval rules
Unexpected changes to merge request approval configurations

Network Indicators:

Unusual API calls to merge request endpoints

SIEM Query:

source="gitlab" AND (event="approval_rule_change" OR api_endpoint="/api/v4/projects/*/merge_requests/*/approval_rules")

📊 Metadata

CVE ID: CVE-2026-1751

CVSS v3 Score: 3.1 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://gitlab.com/gitlab-org/gitlab/-/issues/519340 Exploit,Issue Tracking,Vendor Advisory
https://hackerone.com/reports/2980839 Permissions Required