CVE-2025-11989 LOW

CVE-2025-11989: Missing Authorization in GitLab

Vendor Gitlab

Product GitLab

Weakness CWE-862 · Missing authorization

Published October 26, 2025

Last update October 28, 2025

View on NVD All CVEs

CVSS base score

3.7/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

GitLab has remediated an issue in GitLab EE affecting all versions from 17.6.0 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1 that could have allowed an authenticated attacker to execute unauthorized quick actions by including malicious commands in specific descriptions.

Key dates

02Disclosure timeline

October 26, 2025 CVE published

October 28, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-11989 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2023-47764 WordPress Ditty plugin <= 3.1.24 - Broken Access Control vulnerability CVE-2024-33591 WordPress Easy Accept Payments for PayPal plugin <= 4.9.10 - Broken Access Control vulnerability CVE-2022-43482 WordPress Appointment Booking Calendar plugin <= 1.3.69 - Missing Authorization vulnerability CVE-2025-49973 WordPress Image Sizes Controller, Create Custom Image Sizes, Disable Image Sizes plugin <= 1.0.10 - Broken Access Control Vulnerability CVE-2026-32425 WordPress Payment Gateway Pix For GiveWP plugin <= 2.2.3 - Broken Access Control vulnerability

Identifiers

CVE CVE-2025-11989

CWE CWE-862

CVSS 3.7 / LOW

Affected versions

Vendor Gitlab

Product GitLab

Affected ≥ 17.6.0 and < 18.3.5

Vendor Gitlab

Product GitLab

Affected ≥ 18.4 and < 18.4.3

Vendor Gitlab

Product GitLab

Affected ≥ 18.5 and < 18.5.1