GitLab Group Owner SAML Account Takeover Vulnerability

GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member's GitLab account due to improper authorization in the Group SAML identity management functionality.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2026-6552 is a critical authorization flaw in GitLab Enterprise Edition that allows authenticated users with Group Owner privileges to hijack other group members' accounts through improper access controls in SAML identity management. This vulnerability affects GitLab versions 15.5 through 19.0.2 across multiple release channels, impacting any organization using GitLab EE with SAML-based authentication and role-based group management. The threat is particularly severe because exploitation requires only standard group owner credentials—a role commonly delegated to administrators—and targets the identity management layer where trust boundaries are established. Organizations relying on SAML for compliance, SSO, or multi-tenancy face substantial risk of account compromise, lateral movement, and privilege escalation within their GitLab instances.

Casky's 261 matched security skills leverage Claude's extended reasoning to detect the attack patterns mapped to MITRE ATT&CK's Privilege Escalation (TA0004) and Credential Access (TA0006) techniques. When analyzing GitLab environments, practitioners would identify suspicious patterns including unauthorized SAML identity bindings to existing accounts, Group Owner API calls modifying SAML group mappings, and account takeover indicators showing ownership changes without corresponding user actions. Casky's skills would flag improper authorization checks in identity provider synchronization workflows and detect when group member accounts are being re-assigned to different SAML identities. By correlating authentication logs, group management changes, and SAML binding modifications, security teams can pinpoint exploitation attempts before account compromise occurs and validate that patches (18.10.8, 18.11.5, 19.0.2+) have adequately closed the authorization gap in identity management controls.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-6552.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-6552

Casky has 261 skills that investigate the attack patterns behind CVE-2026-6552. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn