<Vulnerability name="CVE-2026-6352">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-08T20:46:43</PublicDate>
    <Bugzilla id="2498312" url="https://bugzilla.redhat.com/show_bug.cgi?id=2498312" xml:lang="en:us">
gitlab: GitLab EE: Auditor-level users can modify compliance records via improper authorization in GraphQL
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>2.7</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-639</CWE>
    <Details xml:lang="en:us" source="Mitre">
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper authorization on certain GraphQL operations.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in GitLab Enterprise Edition (EE). An authenticated user with auditor-level access could modify compliance violation records. This was possible due to improper authorization on certain GraphQL operations, allowing them to bypass intended access controls.
    </Details>
    <PackageState cpe="cpe:/a:redhat:openshift_pipelines:1">
        <ProductName>OpenShift Pipelines</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-pipelines/pipelines-console-plugin-pf5-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_pipelines:1">
        <ProductName>OpenShift Pipelines</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift-pipelines/pipelines-console-plugin-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift4/ose-console</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>openshift4/ose-console-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-6352
https://nvd.nist.gov/vuln/detail/CVE-2026-6352
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/
https://gitlab.com/gitlab-org/gitlab/-/work_items/596789
https://hackerone.com/reports/3631344
    </References>
</Vulnerability>