Description
GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: Email data exposure
Action: Patch Immediately
AI Analysis

Impact

The vulnerability stems from missing authorization in certain GraphQL queries within GitLab Enterprise Edition, allowing any authenticated user to retrieve the email addresses of other users. This flaw exposes personally identifying information that can be misused in credential‑recovery or social‑engineering attacks. The weakness is classified as an authorization failure (CWE‑862).

Affected Systems

Affected versions of GitLab Enterprise Edition range from 16.6 through 18.8.8, 18.9.4, and 18.10.2. All releases prior to 18.8.9, 18.9.5, and 18.10.3 contain the flaw. Applying the vendor’s patch by upgrading to version 18.8.9, 18.9.5, 18.10.3, or any later release removes the vulnerability.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no public exploitation known. Because the exploit requires only authenticated access, any user with valid credentials could abuse the flaw; however, the lack of a publicly disclosed exploit reduces immediate risk.

Generated by OpenCVE AI on April 9, 2026 at 00:50 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to GitLab 18.8.9, 18.9.5, or 18.10.3 or newer.
  • If an upgrade cannot be performed immediately, block or limit access to GraphQL endpoints that expose user email addresses until the patch is applied.

Generated by OpenCVE AI on April 9, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T22:27:17.831Z

Reserved: 2025-08-26T08:33:31.412Z

Link: CVE-2025-9484

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T23:16:57.343

Modified: 2026-04-08T23:16:57.343

Link: CVE-2025-9484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:32Z

Weaknesses