Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.
Published: 2026-04-08
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

GitLab Enterprise Edition reports for code quality could include malicious content that causes the system to transparently share the IP addresses of users who view those reports. The defect is a flaw in how the software generates report code, allowing an attacker with legitimate access to inject code designed to expose client network details. Because the exposed information is not otherwise protected, an attacker can learn the geographic location or network topology of users, which may facilitate future targeting or privacy violations.

Affected Systems

All GitLab Enterprise Edition releases before version 18.8.9, before 18.9.5, and before 18.10.3 are affected. The issue applies to the standard GitLab EE code base and would be present in any installation of those milestone releases that has enabled the code quality report feature.

Risk and Exploitability

The vulnerability is assigned a CVSS score of 5.7, indicating medium severity. No EPSS score is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated user at least able to submit or edit code quality reports, so it is most relevant to insiders or compromised accounts. While no public exploit has been disclosed, the potential for IP leakage and the ease of creating a malicious report make the threat real. The vendor’s patch removes the code injection vector, eliminating the risk from properly updated systems.

Generated by OpenCVE AI on April 8, 2026 at 23:22 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade to GitLab EE version 18.8.9, 18.9.5, 18.10.3, or any later release.
  • Verify that all GitLab Enterprise Edition instances are running one of the fixed versions and have no older vulnerable releases in use.

Generated by OpenCVE AI on April 8, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.
Title Improper Control of Generation of Code ('Code Injection') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-94
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T22:25:57.848Z

Reserved: 2026-01-28T05:03:57.410Z

Link: CVE-2026-1516

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T23:16:57.920

Modified: 2026-04-08T23:16:57.920

Link: CVE-2026-1516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:36Z

Weaknesses