CVE-2025-5846

An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.com/gitlab-org/gitlab/-/issues/546435

Configurations

No configuration.

History

26 Jun 2025, 18:57

Type	Values Removed	Values Added
Summary		(es) Se ha descubierto un problema en GitLab EE que afecta a todas las versiones desde la 16.10 hasta la 17.11.5, la 18.0 hasta la 18.0.3 y la 18.1 hasta la 18.1.1 que podría haber permitido a los usuarios autenticados asignar frameworks de cumplimiento no relacionados a los proyectos mediante el envío de mutaciones GraphQL manipuladas que eludían los controles de permisos específicos del framework.

26 Jun 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-26 06:15

Updated : 2025-06-26 18:57

NVD link : CVE-2025-5846

Mitre link : CVE-2025-5846

CVE.ORG link : CVE-2025-5846

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

2.7 /10