CVE-2025-6168: 
GitLab vulnerability analysis and mitigation

An issue has been discovered in GitLab Enterprise Edition (EE) affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests. The vulnerability was disclosed on July 9, 2025, and was assigned CVE-2025-6168 (GitLab Release, NVD).

The vulnerability is classified as an improper authorization issue with a CVSS v3.1 Base Score of 2.7 (Low) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. The weakness is identified as CWE-863 (Incorrect Authorization). The vulnerability specifically affects the group-level user invitation functionality in GitLab EE (GitLab Release).

The vulnerability allows authenticated maintainers with elevated privileges to circumvent group-level user invitation restrictions, potentially leading to unauthorized access control bypasses within GitLab EE environments (GitLab Release, GBHackers).

GitLab has released patches to address this vulnerability in versions 18.0.4 and 18.1.2. Organizations running affected versions are strongly recommended to upgrade to the latest patched versions immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability was reported through GitLab's HackerOne bug bounty program by security researcher hunter0xp7. The security community has classified this as a low-severity issue due to its limited impact and high privilege requirement for exploitation (GBHackers).