Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.
Published: 2026-03-11
Score: 2.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach (credential exposure)
Action: Apply Patch
AI Analysis

Impact

GitLab has a vulnerability that improperly encodes or escapes output, enabling an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions. This leads to disclosure of sensitive credentials, a confidentiality compromise. The weakness is classified as CWE-116. The vendor explicitly states that "an authenticated user with maintainer‑role permissions could reveal Datadog API credentials".

Affected Systems

Affected are all GitLab Community Edition (CE) and Enterprise Edition (EE) versions from 15.5 up to, but not including, 18.7.6, from 18.8 up to, but not including, 18.8.6, and from 18.9 up to, but not including, 18.9.2.

Risk and Exploitability

The CVSS score of 2.2 indicates low severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate maintainer access to a project; an attacker would need to be an authenticated user with maintainer rights to access the compromised output that reveals the credentials. No publicly documented exploits exist, but the low severity does not diminish the need for timely remediation.

Generated by OpenCVE AI on March 17, 2026 at 22:23 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Apply the official GitLab patch to upgrade to version 18.7.6, 18.8.6, 18.9.2 or later.
  • Verify that all GitLab instances are at an updated version and re‑test to confirm Datadog API credentials are no longer exposed.
  • If an upgrade cannot be performed immediately, restrict maintainer access to projects that use Datadog integration until the update is applied.

Generated by OpenCVE AI on March 17, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions.
Title Improper Encoding or Escaping of Output in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-116
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 2.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-11T17:23:04.370Z

Reserved: 2025-11-04T14:35:56.191Z

Link: CVE-2025-12697

cve-icon Vulnrichment

Updated: 2026-03-11T17:22:55.512Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:18.403

Modified: 2026-03-17T20:59:44.183

Link: CVE-2025-12697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:42Z

Weaknesses