Description
GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of other users’ email addresses through GraphQL queries in GitLab Enterprise Edition
Action: Patch immediately
AI Analysis

Impact

GitLab Enterprise Edition contained an authorization flaw that allowed any authenticated user, under certain conditions, to retrieve the email addresses of other users via specific GraphQL queries. The vulnerability is a classic information‑disclosure issue and is categorized as CWE‑862 (Missing Authorization). No privilege escalation or code execution is possible; the impact is limited to leaking email identifiers, which could facilitate subsequent social‑engineering or phishing attacks.

Affected Systems

All GitLab Enterprise Edition releases ranging from version 16.6 up to, but not including, 18.8.9; all 18.9 releases before 18.9.5; and all 18.10 releases before 18.10.3. Users running these affected versions should be aware that authenticated sessions can be used to query email addresses of other users through the exposed GraphQL endpoints.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating moderate severity. EPSS scores its exploitation probability as less than 1 % and it is not listed in the CISA KEV catalog. The likely attack vector is benign; an attacker only needs valid credentials and to publish a specially crafted GraphQL request. Because the flaw involves a missing authorization check, attackers with any legitimate user account can perform the exploit, making the risk widespread across the user base of affected installations.

Generated by OpenCVE AI on April 14, 2026 at 20:21 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab Enterprise Edition to v18.8.9, v18.9.5, v18.10.3, or any newer release

Generated by OpenCVE AI on April 14, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 09 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-09T13:03:18.113Z

Reserved: 2025-08-26T08:33:31.412Z

Link: CVE-2025-9484

cve-icon Vulnrichment

Updated: 2026-04-09T13:03:13.335Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T23:16:57.343

Modified: 2026-04-14T17:03:59.230

Link: CVE-2025-9484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses