Analysis Summary

CVE-2025-2938 CVSS:3.1

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.

CVE-2025-3279 CVSS:6.5

An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.

CVE-2025-5315 CVSS:4.3

An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.

CVE-2025-5846 CVSS:2.7

An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks.

Impact

• Denial of Service
• Gain Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2025-2938

• CVE-2025-3279

• CVE-2025-5315

• CVE-2025-5846

Affected Vendors

Remediation

Refer to GitLab Website for patch, upgrade, or suggested workaround information.

CVE-2025-2938

CVE-2025-3279

CVE-2025-5315

CVE-2025-5846