CVE-2024-7296
LOWGitLab 16.5-17.7.6, 17.8-17.8.4, 17.9-17.9.1 - Incorrect Authorization in Membership Approval
Title source: llmDescription
An issue was discovered in GitLab EE affecting all versions from 16.5 prior to 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2 which allowed a user with a custom permission to approve pending membership requests beyond the maximum number of allowed users.
References (2)
Core 2
Core References
Exploit, Issue Tracking issue-tracking
permissions-required
https://gitlab.com/gitlab-org/gitlab/-/issues/475056
Permissions Required technical-description
exploit
permissions-required
https://hackerone.com/reports/2602274
Scores
CVSS v3
2.7
EPSS
0.0002
EPSS Percentile
6.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
gitlab/gitlab
16.5.0 - 17.7.7 (2 CPE variants)
Published
Mar 13, 2025
Tracked Since
Feb 18, 2026