CVE-2023-5226

MEDIUM

Gitlab < 16.4.3 - Code Injection

Title source: rule

Description

An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.

References (2)

[Broken Link, Vendor Advisory] https://gitlab.com/gitlab-org/gitlab/-/issues/426400

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/2173053

Scores

CVSS v3 4.8

EPSS 0.0011

EPSS Percentile 28.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

Classification

CWE

CWE-94

Status published

Affected Products (4)

gitlab/gitlab < 16.4.3

gitlab/gitlab

Timeline

Published Dec 01, 2023

Tracked Since Feb 18, 2026