ctipilot.ch

Home · Live brief · Daily brief 2026-05-29

CVE-2026-4868 (+ five further CVEs) — GitLab 19.0.1 / 18.11.4 / 18.10.7 patch release: Duo AI identity impersonation, unauthenticated project enumeration

notable vulnerability discovered 2026-05-29 05:00 UTC

Part of run 2026-05-29-c7f56b00 (intel · Claude Opus 4.7)

GitLab shipped patch versions 19.0.1, 18.11.4 and 18.10.7 on 2026-05-27 closing six CVEs. The most severe is CVE-2026-4868 (CVSS 8.2, CWE-639) — an improper identity-resolution flaw in the GitLab Duo AI integration that allows an authenticated user to impersonate another user when Duo AI workflows are triggered, with the workflow runners executing under the second user's identity. CVE-2026-6713 (CVSS 5.3) lets an unauthenticated attacker enumerate private projects via an incorrect authorization issue in GitLab's GraphQL WorkItem API. Other CVEs in the batch: CVE-2026-1402 (CVSS 6.5, Wiki DoS via malformed markup), CVE-2026-2601 (CVSS 4.3, deployment-data exposure to Developer-role users), CVE-2026-5296 (CVSS 4.3, Developer-role flow-restriction bypass) and CVE-2026-8716 (CVSS 4.3, CI cross-reference data exposure). NCSC-NL advisory NCSC-2026-0168 rates the batch high; CERT-FR / ANSSI carries CERTFR-2026-AVI-0658 as the FR-CERT corroboration. No exploitation reported.

“GitLab EE versions prior to 18.10.7, 18.11.4, and 19.0.1 contained a vulnerability allowing authenticated users to impersonate others and trigger Duo AI workflows due to improper user identity resolution” — NCSC-NL NCSC-2026-0168 CSAF

“An unauthenticated user may enumerate private project paths via the API” — GitLab

vulnerabilities identity info-disclosure ai-abuse patch-available europe switzerland global CVE-2026-4868 CVE-2026-6713 CVE-2026-1402 CVE-2026-2601 CVE-2026-5296 CVE-2026-8716