Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized viewing of confidential issue data via CSV export
Action: Apply patch
AI Analysis

Impact

GitLab CE/EE allowed an authenticated user to export issues as CSV. Because authorization checks were insufficient, the export revealed confidential issues assigned to other users, giving unauthorized access to sensitive issue data. This is an authorization bypass that compromises confidentiality of issue contents.

Affected Systems

The vulnerability affects all GitLab Community and Enterprise Edition releases from version 18.2 up to, but excluding, patches 18.8.9, 18.9.5, and 18.10.3. Any deployment of these versions, whether community or enterprise, is susceptible.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate impact. EPSS is below 1%, suggesting low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog. Exploitation requires an authenticated account and the use of the CSV export function; thus the attack vector is a legitimate user. Because of the moderate CVSS and low EPSS, the overall risk is moderate but administrators should still patch promptly.

Generated by OpenCVE AI on April 14, 2026 at 20:23 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab 18.8.9, 18.9.5, 18.10.3 or a newer release.
  • Verify the deployment is no longer on the affected versions.
  • Monitor audit logs for CSV export activity if upgrade cannot be performed immediately.

Generated by OpenCVE AI on April 14, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.
Title Authorization Bypass Through User-Controlled Key in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-639
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-09T15:43:25.441Z

Reserved: 2026-02-06T14:04:19.833Z

Link: CVE-2026-2104

cve-icon Vulnrichment

Updated: 2026-04-09T15:43:21.363Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T23:16:58.393

Modified: 2026-04-14T16:57:57.377

Link: CVE-2026-2104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses