CVE-2026-5309
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
An issue in GitLab EE allowed an authenticated user to read or modify another group's virtual registry cleanup policy settings without authorization under certain conditions. Affected versions: 18.6 to 18.11.6, 19.0 to 19.0.3, and 19.1 to 19.1.1.
Risk Assessment
The risk involves potential breach of confidentiality and integrity by unauthorized access to another group's virtual registry configuration, which could lead to information disclosure or unwanted changes.
Recommendation
Immediately upgrade GitLab EE to version 18.11.6, 19.0.3, or 19.1.1 depending on your branch. If upgrade is not possible, restrict access to virtual registry features for unauthorized users.
Original NVD description (English source)
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to read or modify another group's virtual registry cleanup policy settings without authorization.

