CVE-2025-11246 Insufficient Granularity of Access Control in GitLab

🗓️ 09 Jan 2026 10:04:21Reported by GitLabType

CVE-2025-11246: Authenticated user with permissions could remove project runners via GraphQL associations.

Reporter	Title	Published	Views	Family All 20
FreeBSD	Gitlab -- vulnerabilities	7 Jan 202600:00	–	freebsd
Chainguard	CVE-2025-11246 vulnerabilities	28 Jan 202619:17	–	cgr
Circl	CVE-2025-11246	8 Jan 202614:15	–	circl
CNNVD	GitLab Enterprise Edition（EE）和GitLab Community Edition（CE）安全漏洞	9 Jan 202600:00	–	cnnvd
CVE	CVE-2025-11246	9 Jan 202610:04	–	cve
Debian CVE	CVE-2025-11246	9 Jan 202610:04	–	debiancve
EUVD	EUVD-2026-1771	9 Jan 202610:04	–	euvd
Tenable Nessus	FreeBSD : Gitlab -- vulnerabilities (c9b610e9-eebc-11f0-b051-2cf05da270f3)	12 Jan 202600:00	–	nessus
Tenable Nessus	GitLab 15.4 < 18.5.5 / 18.6 < 18.6.3 / 18.7 < 18.7.1 (CVE-2025-11246)	12 Feb 202600:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2025-11246	21 Jan 202600:00	–	nessus

[
  {
    "vendor": "GitLab",
    "product": "GitLab",
    "repo": "git://[email protected]:gitlab-org/gitlab.git",
    "cpes": [
      "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
    ],
    "versions": [
      {
        "version": "15.4",
        "status": "affected",
        "lessThan": "18.5.5",
        "versionType": "semver"
      },
      {
        "version": "18.6",
        "status": "affected",
        "lessThan": "18.6.3",
        "versionType": "semver"
      },
      {
        "version": "18.7",
        "status": "affected",
        "lessThan": "18.7.1",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
gitlab	www.gitlab.com/gitlab-org/gitlab/-/issues/573728
about	www.about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
hackerone	www.hackerone.com/reports/3292475

09 Jan 2026 10:04Current

CVSS 3.15.4

EPSS0.00006

CWE-1220