Cyber Resilience

CVE-2026-4868

High

Published: 27 May 2026

Published
27 May 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0034 26.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4868 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run…

more

under another user's identity due to improper user identity resolution when triggering Duo AI workflow runners.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Improper identity resolution directly allows an authenticated attacker to execute workflows under another valid user identity (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13772Same product: Gitlab Gitlab
CVE-2026-1724Same product: Gitlab Gitlab
CVE-2024-9773Same product: Gitlab Gitlab
CVE-2025-0314Same product: Gitlab Gitlab
CVE-2025-13929Same product: Gitlab Gitlab
CVE-2024-7102Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab
CVE-2026-1456Same product: Gitlab Gitlab
CVE-2026-3857Same product: Gitlab Gitlab
CVE-2026-0958Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
19.0.0 · 18.8.0 — 18.10.7 · 18.11.0 — 18.11.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References