← back
CVE-2025-11340

Incorrect Authorization in GitLab

CVSS 7.7 HIGHEPSS 0.3%CWE-863
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.7EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 Oct 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Affected products
GitLab · GitLab

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/https://gitlab.com/gitlab-org/gitlab/-/issues/567847