Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized access to confidential issue data via CSV export
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from missing authorization checks in the CSV export endpoint for issues. An authenticated user can trigger the export and retrieve issue data that includes confidential information tied to other users. This flaw results in unauthorized disclosure of sensitive issue content, a breach of confidentiality, and is characterized as an authorization bypass (CWE‑639). No compromise of integrity or availability is directly described.

Affected Systems

GitLab Community Edition and Enterprise Edition releases from 18.2 up to before 18.8.9, from 18.9 up to before 18.9.5, and from 18.10 up to before 18.10.3 are vulnerable. Deployments running any of those versions are at risk.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity. Exploit probability is not provided by EPSS, and the flaw does not appear in the CISA KEV catalog. An attacker must first authenticate to the GitLab instance to use the CSV export feature, so the potential vector is internal or compromised accounts. If successful, the attacker can drain confidential issue data, but no full system compromise is described.

Generated by OpenCVE AI on April 8, 2026 at 23:51 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab CE/EE 18.8.9, 18.9.5, 18.10.3 or later.
  • Verify that the upgrade has been applied by checking the GitLab version.
  • Validate that CSV export no longer returns confidential issue data for unauthorized users.

Generated by OpenCVE AI on April 8, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.
Title Authorization Bypass Through User-Controlled Key in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-639
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-08T22:25:47.858Z

Reserved: 2026-02-06T14:04:19.833Z

Link: CVE-2026-2104

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-08T23:16:58.393

Modified: 2026-04-08T23:16:58.393

Link: CVE-2026-2104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:38Z

Weaknesses