CVE-2026-0934
LowCVSS 3.8Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
In GitLab EE, a vulnerability was found that under certain conditions allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations even though CI/CD visibility was disabled for the project.
Risk Assessment
The risk involves unauthorized access to sensitive environment configurations, which could lead to compromise of CI/CD pipeline integrity and potential injection of malicious code into production environments.
Recommendation
Immediately upgrade GitLab EE to version 18.11.6, 19.0.3, or 19.1.1 depending on the branch in use, and review and restrict custom roles with environment management permissions.
Original NVD description (English source)
GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.

