Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to missing authorization checks.
Published: 2026-07-08
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in GitLab Enterprise Edition could allow an authenticated user with minimal access to read work item metadata from private projects. The vulnerability falls under CWE-862, indicating that an application failed to enforce appropriate access controls. As a result, confidential project information may be disclosed to unauthorized but logged-in users, degrading confidentiality without affecting integrity or availability.

Affected Systems

The issue affects GitLab EE versions starting from 18.9 up to (but not including) 18.11.7, 19.0 up to (but not including) 19.0.4, and 19.1 up to (but not including) 19.1.2. Any installation of GitLab EE within these version ranges that exposes work items is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a low to moderate risk level. EPSS data is unavailable, and the vulnerability is not catalogued in CISA's KEV list, suggesting a lower likelihood of widespread exploitation. The attack requires an authenticated session with minimal privileges, meaning the threat is limited to users who have logged into the system. Consequently, while the risk is not critical, it remains significant enough to command remediation.

Generated by OpenCVE AI on July 9, 2026 at 04:03 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.7, 19.0.4, 19.1.2 or above.


OpenCVE Recommended Actions

  • Upgrade GitLab EE to 18.11.7, 19.0.4, 19.1.2 or later.
  • Enforce strict role‑based access controls on work item views to prevent unauthorized read access.
  • Monitor API and user activity logs for anomalous work item data requests and investigate any unexpected access patterns.

Generated by OpenCVE AI on July 9, 2026 at 04:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to missing authorization checks.
Title Missing Authorization in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-862
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-07-08T20:46:28.855Z

Reserved: 2026-05-13T13:04:47.771Z

Link: CVE-2026-8472

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses