Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to view confidential issue references on public projects due to improper authorization checks.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab’s authorization logic incorrectly allows an unauthenticated user to retrieve confidential issue references from public projects. This flaw enables an attacker to view sensitive issue metadata that should be protected, such as issue identifiers, titles, or hidden references, exposing confidential information. The weakness is identified as CWE‑862: Missing Authorization.

Affected Systems

GitLab Community or Enterprise Edition installations built before version 18.11.6, before 19.0.3, or before 19.1.1 are impacted. All releases in the ranges 17.5 through 18.11.5, 19.0.0 to 19.0.2, and 19.1.0 are vulnerable. The issue applies to the web interface and API of GitLab.

Risk and Exploitability

The CVSS score of 5.3 signals moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation. The attack requires unauthenticated HTTP access to a GitLab instance; an attacker can send a normal request to a public project’s issue endpoint and receive hidden reference data. The combination of moderate severity and straightforward delivery vector indicates that the vulnerability is actionable and should be addressed promptly.

Generated by OpenCVE AI on June 25, 2026 at 06:21 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.11.6 or higher, 19.0.3 or higher, or 19.1.1 or higher.
  • If an upgrade cannot be performed immediately, restrict public projects from displaying confidential issue references or disable the feature that exposes these references in the project settings.
  • Monitor web access logs for abnormal requests to the issue endpoints to detect potential exploitation.

Generated by OpenCVE AI on June 25, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to view confidential issue references on public projects due to improper authorization checks.
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-25T04:34:54.041Z

Reserved: 2026-02-09T06:33:06.781Z

Link: CVE-2026-2238

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:30:16Z

Weaknesses