{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "18.3" }, { "fixed": "18.3.4" } ] }, "events": [ { "introduced": "94282cd9b41643ecd8a82da6cf46834cd9609afe" }, { "fixed": "5f66dfbe719f204a376af73ef283481886cf08d2" } ], "repo": "https://gitlab.com/gitlab-org/gitlab", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "18.4" }, { "fixed": "18.4.2" } ] }, "events": [ { "introduced": "9255f56b45844196bb7657a9f1fde6aa65a5d08d" }, { "fixed": "527e88bdddb02340974a968de1ddcfa4ed7735e5" } ], "repo": "https://gitlab.com/gitlab-org/gitlab", "type": "GIT" } ] } ], "database_specific": { "cna_assigner": "GitLab", "cwe_ids": [ "CWE-863" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/11xxx/CVE-2025-11340.json" }, "details": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.3 to 18.3.4, 18.4 to 18.4.2 that, under certain conditions, could have allowed authenticated users with read-only API tokens to perform unauthorized write operations on vulnerability records by exploiting incorrectly scoped GraphQL mutations.", "id": "CVE-2025-11340", "modified": "2026-04-01T23:10:24.749694012Z", "published": "2025-10-09T12:04:20.127Z", "references": [ { "type": "WEB", "url": "https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/11xxx/CVE-2025-11340.json" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11340" }, { "type": "REPORT", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/567847" }, { "type": "PACKAGE", "url": "git://git@gitlab.com:gitlab-org/gitlab.git" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "type": "CVSS_V3" } ], "summary": "Incorrect Authorization in GitLab" }