Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control
Published: 2026-03-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Security Configuration Data
Action: Immediate Patch
AI Analysis

Impact

GitLab’s Enterprise and Community editions contain an access control flaw that allows an authenticated user with a Planner role to view security category metadata and attributes in group security configuration. This improper authorization vulnerability exposes confidential configuration information that could give an attacker insight into the organization’s security posture. The weakness is classified as CWE-862 and can lead to unintended disclosure of sensitive data.

Affected Systems

The affected versions are all releases from 18.6 up to, but not including, 18.8.7; from 18.9 up to, but not including, 18.9.3; and from 18.10 up to, but not including, 18.10.1. Both the Community and Enterprise builds are impacted, as indicated by the CPE entries for version 18.10.0 and earlier.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate impact, while the EPSS score of less than 1% suggests a low likelihood of real‑world exploitation. The vulnerability is not listed in CISA’s KEV catalog, further implying limited known exploitation. Attackers must first obtain authenticated credentials with Planner permissions, meaning social engineering or credential compromise is required. Because the flaw only reveals configuration data and does not provide code execution or privilege escalation, the primary concern is confidentiality loss rather than a direct compromise of the system. Nonetheless, organizations should prioritize patching to eliminate this information disclosure risk.

Generated by OpenCVE AI on March 26, 2026 at 19:52 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.8.7, 18.9.3, 18.10.1, or later

Generated by OpenCVE AI on March 26, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-27T14:58:40.717Z

Reserved: 2025-12-12T16:33:40.328Z

Link: CVE-2025-14595

cve-icon Vulnrichment

Updated: 2026-03-27T14:58:37.199Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:27.363

Modified: 2026-03-26T18:28:05.517

Link: CVE-2025-14595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:20Z

Weaknesses