Description
GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain conditions could have allowed a user to access sensitive information that had already been committed to a project, due to insufficient output filtering in Duo Workflows.
Published: 2026-06-25
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab Enterprise Edition versions from 19.1 through 19.1.1 were discovered to log sensitive data when Duo Workflows executed due to inadequate output filtering. This flaw allowed a user who could trigger a Duo Workflow to read previously committed confidential information from log files, effectively leaking data that had already been committed to the repository. The weakness aligns with CWE‑532, insertion of sensitive data into logs, which compromises confidentiality.

Affected Systems

All GitLab Enterprise Edition installations running versions 19.1, 19.1.0, and any sub‑minor release prior to 19.1.1 are affected. The vulnerability is specific to GitLab’s Duo Workflows component and does not impact GitLab CE or later versions of EE beyond 19.1.1.

Risk and Exploitability

The CVSS score of 8.6 classifies the issue as high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting exploitation is unlikely to be widespread at present. The likely attack vector requires a user with permission to initiate a Duo Workflow; an attacker with such access could read confidential data from log files and persistently expose it. The impact is limited to disclosure of information but effectively enables unauthorized data access within the affected system.

Generated by OpenCVE AI on June 25, 2026 at 06:24 UTC.

Remediation

Vendor Solution

Upgrade to version 19.1.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab Enterprise Edition to version 19.1.1 or later to eliminate the logging flaw.
  • If an upgrade cannot be performed immediately, restrict or remove permissions for users to execute Duo Workflows until the patch is applied.
  • Monitor and audit log files for unexpected sensitive data entries before and after applying the patch to ensure no residual leakage remains.

Generated by OpenCVE AI on June 25, 2026 at 06:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain conditions could have allowed a user to access sensitive information that had already been committed to a project, due to insufficient output filtering in Duo Workflows.
Title Insertion of Sensitive Information into Log File in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-532
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-25T04:33:44.039Z

Reserved: 2026-06-11T22:33:18.063Z

Link: CVE-2026-12053

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:45:05Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File