CVE-2026-1747
📋 TL;DR
This vulnerability allows Developer-role users in GitLab EE to make unauthorized modifications to protected Conan packages when they lack proper permissions. It affects GitLab EE versions 17.11 through 18.9.0 under specific conditions. The issue has been patched in recent releases.
💻 Affected Systems
- GitLab EE
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Malicious or compromised Developer-role users could tamper with protected Conan packages, potentially injecting malicious code or corrupting dependencies used by other projects.
Likely Case
Accidental or intentional unauthorized modifications to protected packages, disrupting development workflows and potentially introducing integrity issues.
If Mitigated
Limited impact with proper access controls and monitoring, though unauthorized modifications could still occur within the scope of Developer permissions.
🎯 Exploit Status
Exploitation requires authenticated Developer access and specific conditions for protected Conan packages. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.7.5, 18.8.5, or 18.9.1
Vendor Advisory: https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab EE 18.7.5, 18.8.5, or 18.9.1 using your preferred method (Omnibus, Helm, source). 3. Restart GitLab services. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Restrict Developer Access to Conan Packages
allTemporarily limit Developer-role permissions for Conan package repositories until patching can be completed.
Adjust project/group settings in GitLab Admin Area to restrict package permissions
🧯 If You Can't Patch
- Implement strict access controls and audit logs for Conan package modifications
- Monitor for unauthorized package changes and review Developer activity regularly
🔍 How to Verify
Check if Vulnerable:
Check GitLab version via Admin Area or command: sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Check Version:
sudo gitlab-rake gitlab:env:info | grep 'GitLab version'Verify Fix Applied:
Confirm version is 18.7.5, 18.8.5, or 18.9.1 or later, and test that Developer-role users cannot modify protected Conan packages without proper permissions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to protected Conan packages in GitLab logs
- Unexpected package modifications by Developer-role users
Network Indicators:
- Unusual API calls to package endpoints from Developer accounts
SIEM Query:
source="gitlab" AND (event="package_update" OR event="package_modify") AND user_role="developer" AND package_type="conan"