Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a read_api scoped OAuth application to create issues and add comments to issues in private projects due to improper authorization.
Published: 2026-05-14
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab's issue creation and commenting APIs for private projects performed an insufficient authorization check, allowing an authenticated user with a read_api OAuth application to create new issues and add comments. This business‑logic flaw means that attackers can add arbitrary content to private repositories, potentially defacing the project or leaking sensitive information. The vulnerability is identified as CWE‑840, a problem with missing authorization.

Affected Systems

All GitLab Community Edition and Enterprise Edition releases from 16.0 up to but not including 18.9.7, 18.10.6, and 18.11.3 are affected.

Risk and Exploitability

The CVSS score of 6.8 reflects a moderate severity. EPSS is not available and the issue is not listed in CISA's KEV catalog. Exploitation requires an authenticated OAuth application with a read_api scope, which allows the attacker to create issues or post comments in private projects. The potential impact depends on the sensitivity of the project, but the flaw enables unauthorized alteration of project content and could lead to accidental disclosure of confidential information. The recommended course of action is to apply the vendor patch as soon as feasible.

Generated by OpenCVE AI on May 14, 2026 at 07:23 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab versions 18.9.7, 18.10.6, 18.11.3 or later.
  • Revoke or delete any existing OAuth applications that are not required, particularly those with a read_api scope.
  • Restrict the creation of new OAuth applications from using the read_api scope unless it is strictly necessary, applying the principle of least privilege.
  • If an immediate upgrade is not possible, temporarily disable the API endpoints that allow issue creation and commenting in private projects until the security fix is applied.

Generated by OpenCVE AI on May 14, 2026 at 07:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a read_api scoped OAuth application to create issues and add comments to issues in private projects due to improper authorization.
Title Business Logic Errors in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-840
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:05:16.129Z

Reserved: 2026-01-22T06:33:14.024Z

Link: CVE-2026-1322

cve-icon Vulnrichment

Updated: 2026-05-14T13:05:11.894Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:21.340

Modified: 2026-05-16T03:37:08.250

Link: CVE-2026-1322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:00:10Z

Weaknesses