Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed sensitive information to be written to application logs due to insufficient filtering in a CI/CD API endpoint.
Published: 2026-06-25
Score: 4.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab's CE/EE versions, including 9.3 through 18.11.5, 19.0.0 through 19.0.2, and 19.1.0, contain a flaw in a CI/CD API endpoint that fails to properly filter sensitive data. This flaw, classified as CWE‑532, allows data containing confidential information—such as passwords or tokens—to be written to application log files. If an attacker supplies input to the endpoint, the system records that input verbatim, potentially exposing secrets to anyone who has read access to the logs.

Affected Systems

The vulnerable functionality is part of GitLab CE/EE distributed as GitLab:GitLab on all supported platforms. All releases from 9.3 up to 18.11.5, 19.0.0 through 19.0.2, and 19.1.0 through 19.1.0 are affected. The issue was remediated in GitLab 18.11.6, 19.0.3, and 19.1.1, and later releases inherit the fix.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, so no widespread exploitation is known. However, because the flaw writes sensitive data to logs that may be accessible to users or administrators, the potential impact ranges from accidental disclosure of credentials to facilitating additional attacks. Based on the description, it is inferred that an attacker must have access to the vulnerable CI/CD API endpoint—typically an authenticated user with CI/CD privileges—to trigger the logging of secrets.

Generated by OpenCVE AI on June 25, 2026 at 06:23 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to a patched release such as 18.11.6, 19.0.3, or 19.1.1 or later.
  • If an upgrade cannot be performed immediately, restrict or disable the CI/CD API endpoint that writes sensitive data to logs, or apply configuration changes to suppress secret logging.
  • Ensure application logs are stored with strict access controls so that only privileged users can read them, and monitor logs for unexpected sensitive data entries.

Generated by OpenCVE AI on June 25, 2026 at 06:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed sensitive information to be written to application logs due to insufficient filtering in a CI/CD API endpoint.
Title Insertion of Sensitive Information into Log File in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-532
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-25T04:34:04.042Z

Reserved: 2026-05-11T15:06:21.504Z

Link: CVE-2026-8330

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:15:05Z

Weaknesses
  • CWE-532

    Insertion of Sensitive Information into Log File