Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks.
Published: 2026-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Pipeline Job Information
Action: Patch
AI Analysis

Impact

GitLab identified a flaw where an authenticated user could retrieve historical pipeline job data from projects that had both the repository and CI/CD features disabled. This improper authorization check violates the principle of least privilege, allowing users to view sensitive build artifacts and logs, potentially exposing internal project details or facilitating further attacks. The weakness is categorized as CWE-863, indicating an access control bypass.

Affected Systems

Affected versions include all GitLab Community Edition (CE) and Enterprise Edition (EE) releases from 15.1 up to but not including 18.7.6, from 18.8 up to but not including 18.8.6, and from 18.9 up to but not including 18.9.2. The products are listed under the vendor GitLab:GitLab for both community and enterprise editions.

Risk and Exploitability

The CVSS score is 4.3, reflecting medium severity. EPSS indicates a very low probability of exploitation (<1%). The vulnerability is not listed in CISA's KEV catalog. Exploit requires an authenticated GitLab account with standard user permissions and depends on the project having disabled repository and CI/CD features. Based on the description, the likely attack vector is local possession of legitimate credentials; remote exploitation without authentication is not supported by the data.

Generated by OpenCVE AI on March 17, 2026 at 14:42 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.7.6, 18.8.6, 18.9.2, or newer for all CE and EE installations

Generated by OpenCVE AI on March 17, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that, under certain conditions, could have allowed an authenticated user to access previous pipeline job information on projects with repository and CI/CD disabled due to improper authorization checks.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-12T16:20:07.813Z

Reserved: 2025-10-31T16:03:45.837Z

Link: CVE-2025-12555

cve-icon Vulnrichment

Updated: 2026-03-12T15:43:05.732Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T17:16:50.063

Modified: 2026-03-13T13:22:06.100

Link: CVE-2025-12555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:39Z

Weaknesses