CVE-2026-2370 - Vulnerability Details

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.

Published: 2026-03-29

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

GitLab Community Edition and Enterprise Edition contain a vulnerability that allows an authenticated user with minimal workspace permissions to bypass authorization checks and retrieve Jira Connect installation credentials. The attacker can then use those credentials to impersonate the GitLab application, effectively executing actions on behalf of the app. This permits unauthorized access to resources and data that should be protected, leading to potential compromise of confidentiality, integrity, and availability.

Affected Systems

The flaw impacts all GitLab versions from 14.3 up to, but not including, 18.8.7, and all 18.9.x releases prior to 18.9.3, as well as all 18.10.x releases before 18.10.1. Both Community and Enterprise editions are affected. The issue is resolved in the listed patched releases.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity. Exploitation requires authenticated access with workspace permissions, so an attacker must first obtain valid credentials. No exploit probability was provided, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Until the patch is applied, the risk remains high for systems that handle sensitive data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GitLab

unaffected

Version	Status	Constraints
`14.3`	affected	< 18.8.7
`18.9`	affected	< 18.9.3
`18.10`	affected	< 18.10.1

Configuration 1 [-]

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:18.10.0::::community:::
	cpe:2.3:a:gitlab:gitlab:18.10.0::::enterprise:::

No data.

Vendor Product Confidence Versions

Gitlab

95%

Version	Status	Scheme	Platform
`[14.3,18.8.7)`	affected	generic	—
`[18.9,18.9.3)`	affected	generic	—
`[18.10,18.10.1)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above.

OpenCVE Recommended Actions

Upgrade the GitLab instance to a patched version (18.8.7 or newer, 18.9.3 or newer, or 18.10.1 or newer).
If an immediate upgrade is not possible, minimize or remove workspace permissions for users who do not need them.
Monitor GitLab logs for unexpected credential disclosures or application impersonation activity.
Verify that the installed GitLab instance version matches one of the patched releases.

Generated by OpenCVE AI on March 30, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/
https://gitlab.com/gitlab-org/gitlab/-/work_items/589635
https://hackerone.com/reports/3522829

History

Mon, 30 Mar 2026 15:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:gitlab:gitlab:::::community:::* cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:18.10.0::::community::: cpe:2.3:a:gitlab:gitlab:18.10.0::::enterprise:::

Mon, 30 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.
Title		Improper Handling of Parameters in GitLab
First Time appeared		Gitlab Gitlab gitlab
Weaknesses		CWE-233
CPEs		cpe:2.3:a:gitlab:gitlab::::::::
Vendors & Products		Gitlab Gitlab gitlab
References		https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/ https://gitlab.com/gitlab-org/gitlab/-/work_items/589635 https://hackerone.com/reports/3522829
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Gitlab Gitlab

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2026-03-29T23:33:44.410Z

Updated: 2026-03-30T15:02:06.576Z

Reserved: 2026-02-11T20:33:21.941Z

Link: CVE-2026-2370

Vulnrichment

Updated: 2026-03-30T15:01:58.638Z

NVD

Status : Analyzed

Published: 2026-03-30T00:16:01.800

Modified: 2026-03-30T15:44:26.737

Link: CVE-2026-2370

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T07:03:49Z

Weaknesses

CWE-233

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object