Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.
Published: 2026-03-29
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Theft and Application Impersonation
Action: Immediate Patch
AI Analysis

Impact

GitLab’s authentication system contains an improper authorization check that allows an authenticated user with only minimal workspace permissions in a Jira Connect integration to retrieve the installation credentials for the GitLab application. By obtaining these credentials, the attacker can impersonate GitLab, effectively acting as the application itself. This unauthorized impersonation enables the user to access sensitive configuration data and perform actions that should be restricted to authorized administrators, thereby compromising the integrity and confidentiality of the integrated environment.

Affected Systems

GitLab Community Edition and GitLab Enterprise Edition deployments from version 14.3 up through versions 18.8.6, 18.9.0 to 18.9.2, and the 18.10.0 release are affected when connected to Jira. The vulnerability does not apply to the patched releases 18.8.7, 18.9.3, or 18.10.1 and later.

Risk and Exploitability

The CVSS metric scores the flaw as 8.1, indicating high severity. The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, but the requirement for only an authenticated user with minimal workspace rights means that compromise can occur if an account is already trusted. Once exploited, an attacker can steal credentials and impersonate the GitLab application, potentially allowing further lateral movement or unauthorized configuration changes.

Generated by OpenCVE AI on March 30, 2026 at 16:52 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above.

OpenCVE Recommended Actions

  • Upgrade to GitLab version 18.8.7, 18.9.3 or 18.10.1 or newer to resolve the authorization issue.
  • If an upgrade cannot be executed immediately, restrict Jira Connect access for users lacking workspace permissions or temporarily disable the Jira Connect integration until the patch is applied.

Generated by OpenCVE AI on March 30, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 30 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.
Title Improper Handling of Parameters in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-233
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-30T15:02:06.576Z

Reserved: 2026-02-11T20:33:21.941Z

Link: CVE-2026-2370

cve-icon Vulnrichment

Updated: 2026-03-30T15:01:58.638Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T00:16:01.800

Modified: 2026-03-30T15:44:26.737

Link: CVE-2026-2370

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-29T23:33:44Z

Links: CVE-2026-2370 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:56:36Z

Weaknesses