CVE-2025-11971: 
GitLab vulnerability analysis and mitigation

GitLab has identified and remediated an Incorrect Authorization vulnerability (CVE-2025-11971) affecting GitLab CE versions from 10.6 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1. The vulnerability was disclosed on October 22, 2025, as part of GitLab's scheduled security release (GitLab Release, Debian Tracker).

The vulnerability has been assigned a CVSS score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N. The issue stems from an incorrect authorization implementation that could allow authenticated users to trigger unauthorized pipeline executions through commit manipulation (GitLab Release).

If successfully exploited, this vulnerability allows authenticated users to execute unauthorized pipeline operations by manipulating commits in the system. This could potentially lead to unauthorized code execution within the CI/CD pipeline context (Security Online).

GitLab has released patches in versions 18.5.1, 18.4.3, and 18.3.5 for both Community Edition (CE) and Enterprise Edition (EE). Organizations are strongly recommended to upgrade to these patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action (GitLab Release).

Ubuntu has noted that GitLab is no longer maintainable as a distribution package and has been removed from their repositories. They have explicitly stated they will not be fixing security issues in the GitLab package for certain versions (Ubuntu Security).