Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.
Published: 2026-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Upgrade
AI Analysis

Impact

GitLab contains an improper access control flaw that allows an authenticated user to view the titles of confidential or private issues in projects that are publicly visible. This weakness is a classic example of incorrect authorization, classified as CWE‑863. The consequence is the disclosure of internal project tagging information that may give attackers insight into repository structure, project status, or potential targets, thereby leaking sensitive business logic and planning details.

Affected Systems

GitLab CE and EE, all releases earlier than 18.11.1 but from version 18.11 onward. The vulnerability affects all installations running these releases regardless of configuration, including the community and enterprise editions.

Risk and Exploitability

The CVSS base score of 4.3 indicates a medium impact. Exploitation requires only that the attacker be an authenticated user with access to a public project. Attackers can then craft requests to the issue rendering service and observe the titles of confidential issues. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog at this time, so the risk is governed mainly by the medium CVSS score and the likelihood of privileged access to the affected GitLab instance.

Generated by OpenCVE AI on April 27, 2026 at 08:49 UTC.

Remediation

Vendor Solution

Upgrade to version 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade all GitLab CE and EE installations to version 18.11.1 or later to eliminate the improper access control flaw.
  • After patching, audit user permissions on public projects to ensure that only intended roles have access to issue information, and remove any unnecessary privileges.
  • Implement stricter visibility settings for issues within public projects and enable organizational security controls such as two‑factor authentication to reduce the likelihood of unauthorized authenticated access.

Generated by OpenCVE AI on April 27, 2026 at 08:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:enterprise:*:*:*

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.
Title Incorrect Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-863
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-22T17:52:14.162Z

Reserved: 2026-04-01T20:03:36.688Z

Link: CVE-2026-5377

cve-icon Vulnrichment

Updated: 2026-04-22T17:52:10.489Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:44.613

Modified: 2026-04-23T20:37:26.863

Link: CVE-2026-5377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:45:11Z

Weaknesses