Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.
Published: 2026-03-11
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to virtual registry data
Action: Upgrade
AI Analysis

Impact

A vulnerability in GitLab Enterprise Edition could allow an authenticated user to view Virtual Registry data in groups to which they do not belong. The flaw is a missing authorization check under certain conditions, allowing unintended data exposure. The primary impact is a confidentiality breach, permitting non‑members to access sensitive registry artifacts that should be restricted to group members. The weakness is identified as CWE-862, "Missing Authorization."

Affected Systems

GitLab is affected. All Enterprise Edition releases from version 18.2 through 18.6, 18.8 through 18.8.5, and 18.9 before 18.9.2 are vulnerable. The fix is implemented in GitLab EE 18.7.6, 18.8.6, 18.9.2, and any later releases.

Risk and Exploitability

The CVSS score is 3.5, indicating low severity, and the EPSS score is below 1%, implying a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated GitLab user; the attacker must have valid credentials and then attempt to access the virtual registry of a group to which they are not a member. Once authenticated, the improper authorization logic permits reading the registry content.

Generated by OpenCVE AI on March 17, 2026 at 22:24 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to GitLab EE 18.7.6, 18.8.6, 18.9.2, or any newer release.

Generated by OpenCVE AI on March 17, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to access Virtual Registry data in groups where they are not members due to improper authorization under certain conditions.
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-12T16:20:13.909Z

Reserved: 2025-11-04T18:34:22.289Z

Link: CVE-2025-12704

cve-icon Vulnrichment

Updated: 2026-03-12T15:42:50.542Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:18.570

Modified: 2026-03-17T20:59:11.730

Link: CVE-2025-12704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:42Z

Weaknesses