SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Supply Chain Security

GitLab Ships Update for Critical Pipeline Execution Vulnerability

GitLab issues an advisory for a critical-severity vulnerability that allows an attacker to trigger a pipeline as another user.

DevOps platform GitLab has pushed out security updates that address six vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE), including a critical-severity bug with serious implications.

The issue, tracked as CVE-2024-6385 (CVSS score 9.6/10), allows an attacker to trigger a pipeline as another users, under certain circumstances, and impacts GitLab CE/EE versions 15.8 to 16.11.5, 17.0.0 to 17.0.3, and 17.1.0 to 17.1.1.

Reported via GitLab’s bug bounty program on HackerOne, the security defect was addressed with the release of GitLab CE/EE versions 17.1.2, 17.0.4, and 16.11.6.

The GitLab advisory does not include further details on the security defect or how it was resolved.

In an emailed comment to SecurityWeek, Contrast Security CISO David Lindner warned that successful exploitation of the bug “could enable attackers to run malicious code, access sensitive data and compromise software integrity”. 

Patches for CVE-2024-6385 were released roughly two weeks after the DevOps platform addressed another flaw (CVE-2024-5655) that allows attackers to run pipeline jobs as another user.

Advertisement. Scroll to continue reading.

The latest GitLab security updates also resolve a medium-severity bug that could allow a user with a custom role to modify the URL for a group namespace.

The remaining four issues resolved with the latest GitLab CE/EE versions are low-severity flaws leading to the inappropriate creation of project-level deploy tokens, the upload of NPM packages with conflicting package data, users with a custom role banning group members, and subdomain takeover in GitLab Pages.

GitLab makes no mention of any of these vulnerabilities being exploited in the wild. Users are advised to update their instances as soon as possible, as threat actors are known to have exploited GitLab vulnerabilities for which patches had been released.

Related: GitLab Patches Critical Pipeline Execution Vulnerability

Related: Thousands of GitLab Instances Unpatched Against Password Reset Bug

Related: GitLab Patches Critical Pipeline Execution Vulnerability

Related: GitLab Security Update Patches Critical Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Third-Party Risk in Practice
June 4, 2026

Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Tim Byrd has been appointed Chief Information Security Officer at First Citizens Bank.

IRONSCALES has named Steve McKenzie as Chief Operating Officer.

Silvio Pappalardo has joined AuthMind as Chief Revenue Officer.

More People On The Move

Expert Insights

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.