Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on cross-project reference pages.
Published: 2026-07-08
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab includes a flaw where cross‑project reference pages lack proper authorization checks, enabling an unauthenticated user to discover whether a private project exists. The issue does not grant code execution or broader access, but it exposes sensitive project existence information that could aid attackers in targeting further exploits.

Affected Systems

The vulnerability affects GitLab Community and Enterprise Editions. All releases from 9.1 up to but excluding 18.11.7, from 19.0 up to but excluding 19.0.4, and from 19.1 up to but excluding 19.1.2 are susceptible.

Risk and Exploitability

With a CVSS score of 4.3 the severity is low‑medium. EPSS data is unavailable, and the issue is not listed in CISA KEV. The attack vector requires no authentication and relies on querying the public cross‑project reference endpoints; exploitation merely confirms the existence of a private project.

Generated by OpenCVE AI on July 9, 2026 at 04:03 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.7, 19.0.4, 19.1.2 or above.


OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.11.7, 19.0.4, 19.1.2, or any newer release.
  • Restrict unauthenticated access to cross‑project reference endpoints through firewall rules or application layer ACLs.
  • Enable detailed logging of all access attempts to cross‑project reference pages and review logs for patterns that indicate abuse.

Generated by OpenCVE AI on July 9, 2026 at 04:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on cross-project reference pages.
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-07-08T20:46:33.861Z

Reserved: 2026-04-30T09:04:45.873Z

Link: CVE-2026-7492

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses