Description
GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.
Published: 2026-02-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Apply Patch
AI Analysis

Impact

GitLab Enterprise Edition exposed a flaw in the Iterations API that could let an authenticated user query iteration data for private descendant groups. The problem stemmed from inadequate enforcement of group ownership checks, allowing a user with membership in a parent group to bypass permissions and read data that should remain inaccessible. This flaw is categorized as a CWE‑639 Authorization Bypass by User‑Controlled Key issue.

Affected Systems

The vulnerability affected all GitLab EE releases from 16.7 up to 18.5 inclusive, and also includes 18.6.x versions earlier than 18.6.6, 18.7.x before 18.7.4, and 18.8.x before 18.8.4. Upgrading one of these versions to the patched releases (18.6.6, 18.7.4, or 18.8.4 or later) removes the flaw.

Risk and Exploitability

The CVSS score of 4.3 signals a moderate impact, and the EPSS score of less than 1 percent indicates a low probability of exploitation at this time. The vulnerability requires the attacker to be an authenticated user and to have some level of access to the parent group. While it does not provide an avenue for remote code execution or service disruption, it does allow unauthorized disclosure of sensitive project iteration information and could lead to broader privilege escalation if combined with other weaknesses. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been actively exploited in the wild.

Generated by OpenCVE AI on April 18, 2026 at 12:41 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.6.6, 18.7.4, 18.8.4 or above.

OpenCVE Recommended Actions

  • Upgrade the affected GitLab EE installation to version 18.6.6 or newer, or to 18.7.4, or to 18.8.4, which contain the fix for this authorization bypass.
  • If an immediate upgrade is not possible, limit the use of the Iterations API for sensitive groups by adjusting group membership and role permissions to prevent unauthorized access.
  • After applying the patch or implementing access restrictions, verify that the Iterations API no longer returns data from private descendant groups to users lacking explicit permission.

Generated by OpenCVE AI on April 18, 2026 at 12:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*

Thu, 12 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.
Title Authorization Bypass Through User-Controlled Key in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-639
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-11T15:35:58.862Z

Reserved: 2026-01-16T20:34:06.208Z

Link: CVE-2026-1080

cve-icon Vulnrichment

Updated: 2026-02-11T15:35:46.695Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T12:16:04.120

Modified: 2026-02-12T21:38:00.433

Link: CVE-2026-1080

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses