GitLab EE CVE-2025-11340: Brief Summary of Incorrect Authorization in GraphQL API

A brief summary of CVE-2025-11340, a high-severity authorization flaw in GitLab Enterprise Edition's GraphQL API allowing read-only API tokens to perform unauthorized write operations on vulnerability records. This post covers affected versions, technical details, and vendor security context.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-09

GitLab EE CVE-2025-11340: Brief Summary of Incorrect Authorization in GraphQL API
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Unauthorized modification of vulnerability records in GitLab Enterprise Edition can disrupt security workflows and compliance reporting. CVE-2025-11340 demonstrates how a flaw in GraphQL API authorization allowed authenticated users with read-only API tokens to perform write operations on critical security data, impacting organizations relying on GitLab for vulnerability management.

GitLab is a widely adopted DevOps platform used by enterprises and open-source communities worldwide. It provides source code management, CI/CD, and integrated security features for millions of users. The Enterprise Edition (EE) is the premium offering, including advanced security and compliance tools.

Technical Information

CVE-2025-11340 is classified as CWE-863 (Incorrect Authorization). The vulnerability is present in the GraphQL API of GitLab EE, specifically in the mutation logic that handles vulnerability records. The intended design is that API tokens with the read_api scope are restricted to read-only operations, while tokens with the broader api scope can perform both read and write actions.

Due to incorrect scoping of certain GraphQL mutations, users authenticated with read_api tokens could invoke write operations on vulnerability records. This bypassed the expected permission model and allowed privilege escalation from read-only to write access. The vulnerability affects the integrity of vulnerability data but does not impact confidentiality or availability. The CVSS v3.1 vector is:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

This means:

  • Network exploitable
  • Low attack complexity
  • Requires low-privilege authentication (read-only token)
  • No user interaction needed
  • Changed scope (impacts resources outside the vulnerable component's security boundary)
  • High integrity impact
  • No confidentiality or availability impact

The root cause is insufficient permission checks on GraphQL mutations related to vulnerability management. No public code snippets or proof of concept are available. The flaw was discovered internally by a GitLab engineer, not through exploitation in the wild.

Affected Systems and Versions

  • Product: GitLab Enterprise Edition (EE) only
  • Affected versions:
    • 18.3 through 18.3.4
    • 18.4 through 18.4.2
  • Only configurations where the GraphQL API is exposed and read-only API tokens are used for vulnerability management operations are vulnerable.
  • Community Edition (CE) is not affected.

Vendor Security History

GitLab regularly releases security updates and maintains a public bug bounty program. Recent security advisories have addressed multiple authorization and GraphQL-related vulnerabilities, including:

  • CVE-2025-10004 (GraphQL API denial of service)
  • CVE-2025-9825 (GraphQL API missing authorization for CI/CD jobs)
  • CVE-2025-11042, CVE-2025-10867 (GraphQL API denial of service)

The vendor typically releases patches promptly and provides detailed advisories. Authorization logic in complex API features has been a recurring challenge, but GitLab's response process is transparent and mature.

References

Detect & fix
what others miss