Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper access control in GitLab CE/EE, allowing an unauthenticated user to download private debugging symbols from projects that should be inaccessible. This flaw permits the disclosure of potentially sensitive diagnostic data, such as stack traces or internal code references, without granting any direct code execution or privilege escalation capabilities.

Affected Systems

GitLab CE and GitLab EE are impacted. All releases from 16.7 up to, but not including, version 18.9.7; from 18.10.0 to 18.10.5; and from 18.11.0 to 18.11.2 contain the flaw. Upgrading to any version 18.9.7, 18.10.6, 18.11.3, or later removes the vulnerability.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk level. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited exploitation evidence. The attack vector is inferred to involve unauthenticated HTTP requests to endpoints that expose debugging symbols; the attack can be performed by an adversary with network access to the GitLab instance, making exploitation straightforward once the vulnerable condition exists.

Generated by OpenCVE AI on May 14, 2026 at 07:24 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab CE/EE to version 18.9.7, 18.10.6, 18.11.3 or later to apply the vendor fix.
  • Disable the debugging symbols feature or remove any debug symbol packages from the GitLab filesystem so that artefacts cannot be served even if the access control check is bypassed.
  • Audit project visibility settings and review access logs to confirm no private debugging symbols are exposed after applying the patch or disabling the feature.

Generated by OpenCVE AI on May 14, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.
Title Authorization Bypass Through User-Controlled Key in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-639
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:08:28.045Z

Reserved: 2026-02-23T20:33:37.526Z

Link: CVE-2026-3074

cve-icon Vulnrichment

Updated: 2026-05-14T13:08:24.896Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:22.400

Modified: 2026-05-16T03:35:32.603

Link: CVE-2026-3074

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T07:30:06Z

Weaknesses