CVE-2025-11246
📋 TL;DR
This vulnerability allows authenticated GitLab users with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. It affects GitLab CE/EE installations running vulnerable versions. Attackers could disrupt CI/CD pipelines by removing runners from projects they shouldn't have access to.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Malicious insider or compromised account removes all runners from critical projects, causing complete CI/CD pipeline disruption and halting software delivery.
Likely Case
Authenticated user with runner management permissions accidentally or intentionally removes runners from projects they shouldn't have access to, causing temporary CI/CD disruptions.
If Mitigated
With proper access controls and monitoring, impact is limited to minor service disruption that can be quickly detected and restored.
🎯 Exploit Status
Exploitation requires authenticated access and specific permissions. GraphQL manipulation is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.5.5, 18.6.3, or 18.7.1
Vendor Advisory: https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to patched version using your deployment method (Omnibus, Helm, source). 3. Restart GitLab services. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict Runner Management Permissions
allTemporarily limit who can manage project runners to essential personnel only.
# Review and adjust project runner permissions in GitLab Admin Area
Monitor Runner Changes
allImplement logging and alerting for runner removal events.
# Configure GitLab audit events and external monitoring
🧯 If You Can't Patch
- Implement strict access controls and review all users with runner management permissions
- Enable comprehensive audit logging for runner operations and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via Admin Area or command line. If version falls within affected ranges, instance is vulnerable.Check Version:
sudo gitlab-rake gitlab:env:info | grep VersionVerify Fix Applied:
After patching, verify version is 18.5.5, 18.6.3, or 18.7.1 or higher. Test runner management permissions work correctly.📡 Detection & Monitoring
Log Indicators:
- GraphQL mutations removing runners from multiple projects
- Audit events showing runner removal by unauthorized users
- Sudden increase in runner removal events
Network Indicators:
- GraphQL API calls to runner association endpoints from unexpected sources
SIEM Query:
source="gitlab" AND (event="runner_removed" OR graphql_mutation="runnerAssociation")