{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-10871","assignerOrgId":"ceab7361-8a18-47b1-92ba-4d7d25f6715a","state":"PUBLISHED","assignerShortName":"GitLab","dateReserved":"2025-09-23T10:33:23.021Z","datePublished":"2025-09-26T09:04:21.687Z","dateUpdated":"2026-02-26T17:47:54.446Z"},"containers":{"cna":{"title":"Missing Authorization in GitLab","descriptions":[{"lang":"en","value":"An issue has been discovered in GitLab EE affecting all versions from 16.6 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1. Project Maintainers can exploit a vulnerability where they can assign custom roles to users with permissions exceeding their own, effectively granting themselves elevated privileges."}],"affected":[{"vendor":"GitLab","product":"GitLab","repo":"git://git@gitlab.com:gitlab-org/gitlab.git","cpes":["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"],"versions":[{"version":"16.6","status":"affected","lessThan":"18.2.7","versionType":"semver"},{"version":"18.3","status":"affected","lessThan":"18.3.3","versionType":"semver"},{"version":"18.4","status":"affected","lessThan":"18.4.1","versionType":"semver"}],"defaultStatus":"unaffected"}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-862: Missing Authorization","cweId":"CWE-862","type":"CWE"}]}],"references":[{"url":"https://gitlab.com/gitlab-org/gitlab/-/issues/569482","name":"GitLab Issue #569482","tags":["issue-tracking","permissions-required"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW","baseScore":3.8,"baseSeverity":"LOW"}}],"solutions":[{"lang":"en","value":"Upgrade to version 18.2.7, 18.3.3 or 18.4.1 or above."}],"credits":[{"lang":"en","value":"This vulnerability was discovered internally by a GitLab team member, [Diane Russel](https://gitlab.com/dlrussel).","type":"finder"}],"providerMetadata":{"orgId":"ceab7361-8a18-47b1-92ba-4d7d25f6715a","shortName":"GitLab","dateUpdated":"2025-09-26T09:04:21.687Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2025-10871","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-09-27T03:55:26.598432Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T17:47:54.446Z"}}]}}