Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances.
Published: 2026-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach through unauthorized metadata disclosure
Action: Patch
AI Analysis

Impact

A flaw in GitLab Community and Enterprise Editions allows an authenticated user to view metadata from private issues, merge requests, epics, milestones, or commits. The vulnerability arises from incorrect filtering in the snippet rendering process, meaning that private information can be exposed to users who normally should not have access. This results in a confidentiality compromise but does not grant elevated privileges or denial of service.

Affected Systems

All GitLab Community Edition and Enterprise Edition releases from version 15.6 up to but excluding 18.7.6, 18.8.6, and 18.9.2 are affected.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity, and the EPSS score of less than 1% reflects a small likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated session and manipulating snippet content; it does not provide privilege escalation or remote code execution. The risk is thus limited to accidental or malicious exposure of private metadata within authenticated users.

Generated by OpenCVE AI on March 20, 2026 at 15:31 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.7.6, 18.8.6, 18.9.2 or later.

Generated by OpenCVE AI on March 20, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances.
Title Authentication Bypass Using an Alternate Path or Channel in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-288
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-11T19:36:50.673Z

Reserved: 2026-01-05T13:03:49.437Z

Link: CVE-2026-0602

cve-icon Vulnrichment

Updated: 2026-03-11T19:35:53.264Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:22.010

Modified: 2026-03-17T20:59:01.673

Link: CVE-2026-0602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:25Z

Weaknesses