Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.
Published: 2026-04-08
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach: IP addresses leaked
Action: Immediate Patch
AI Analysis

Impact

An authenticated user can embed malicious content into a Code Quality report in GitLab Enterprise Edition. When another authenticated user opens that report, the embedded code leaks the viewer’s IP address to the attacker. The flaw is a form of code injection (CWE‑94) that results in disclosure of sensitive network information, but it does not provide remote code execution.

Affected Systems

All GitLab EE releases from 18.0.0 up to, but not including, 18.8.9, 18.9.5, and 18.10.3 are affected. The vulnerability manifests whenever Code Quality reports are enabled and a user has permission to view reports. The issue is platform‑agnostic and affects every environment running the affected GitLab versions.

Risk and Exploitability

The CVSS base score of 5.7 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to be authenticated to GitLab, craft a malicious report, and persuade or force another authenticated user to view the report. The potential impact is limited to IP‑address leakage, but the privacy breach could be a precursor to more targeted attacks.

Generated by OpenCVE AI on April 14, 2026 at 22:27 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab EE to version 18.8.9, 18.9.5, 18.10.3, or any later release.
  • Restrict which users can create or edit Code Quality reports to trusted personnel.
  • Disable Code Quality report generation or limit its visibility when not needed.

Generated by OpenCVE AI on April 14, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.
Title Improper Control of Generation of Code ('Code Injection') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-94
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-09T15:42:34.893Z

Reserved: 2026-01-28T05:03:57.410Z

Link: CVE-2026-1516

cve-icon Vulnrichment

Updated: 2026-04-09T15:42:22.322Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T23:16:57.920

Modified: 2026-04-14T17:03:01.990

Link: CVE-2026-1516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses