Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified.
Published: 2026-05-14
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab’s integration with Jira mistakenly used a project filter only as a display control, failing to restrict the API token’s real access. Consequently, an authenticated user could view Jira issues outside the intended projects, exposing potentially sensitive information. This is a classic confused‑deputy flaw that allows a party with some legitimate access to leverage a feature for unauthorized actions.

Affected Systems

GitLab Community Edition and Enterprise Edition from version 13.7 up to, but not including, 18.9.7; versions 18.10.0 through 18.10.5; and versions 18.11.0 through 18.11.2 are affected. All earlier and these pre‑patch series are vulnerable.

Risk and Exploitability

The vulnerability is rated with a CVSS score of 5.8 and currently has no EPSS data, indicating limited publicly available exploitation evidence. It is not listed in the CISA KEV catalog. Because the issue requires an authenticated user, the attack vector is typically internal; any user who can use the Jira integration can exploit the flaw without additional privileges.

Generated by OpenCVE AI on May 14, 2026 at 07:24 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.7, 18.10.6, 18.11.3 or above. Additionally, review the Jira API token used in your integration and ensure it is scoped to only the Jira projects you intend to expose. The project keys field in the integration configuration filters the displayed issues but does not restrict the token's access. To limit which issues can be read through the integration, generate the API token from a Jira account with access only to the desired projects.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.9.7, 18.10.6, 18.11.3 or later.
  • Review the Jira API token used in your integration and ensure it is scoped only to the Jira projects you intend to expose.
  • Generate the Jira API token from an account that has access exclusively to the desired projects.

Generated by OpenCVE AI on May 14, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 03:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified.
Title Unintended Proxy or Intermediary ('Confused Deputy') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-441
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-05-14T13:09:24.780Z

Reserved: 2026-02-24T21:03:59.433Z

Link: CVE-2026-3160

cve-icon Vulnrichment

Updated: 2026-05-14T13:09:20.365Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T06:16:22.657

Modified: 2026-05-16T03:34:41.617

Link: CVE-2026-3160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T07:30:06Z

Weaknesses