CVE-2025-12555 Overview
An improper authorization vulnerability has been identified in GitLab CE/EE that affects all versions from 15.1 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2. Under certain conditions, this flaw allows an authenticated user to access previous pipeline job information on projects where both repository and CI/CD features have been disabled. The vulnerability stems from improper authorization checks (CWE-863) in the pipeline job access control logic.
Critical Impact
Authenticated users may gain unauthorized access to sensitive CI/CD pipeline job data from projects where these features should be completely inaccessible, potentially exposing build secrets, deployment configurations, or proprietary code artifacts.
Affected Products
- GitLab Community Edition (CE) versions 15.1 to 18.7.5
- GitLab Enterprise Edition (EE) versions 15.1 to 18.7.5
- GitLab CE/EE versions 18.8.0 to 18.8.5
- GitLab CE/EE versions 18.9.0 to 18.9.1
Discovery Timeline
- 2026-03-11 - CVE-2025-12555 published to NVD
- 2026-03-11 - GitLab releases security patch (18.9.2, 18.8.6, 18.7.6)
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2025-12555
Vulnerability Analysis
This vulnerability is classified as Improper Authorization (CWE-863), which occurs when a product fails to properly verify that a user has been authorized to access a resource or perform an action. In this specific case, GitLab's access control mechanism does not adequately verify user permissions when retrieving historical pipeline job information from projects where repository and CI/CD features have been administratively disabled.
The root issue lies in the authorization logic that governs access to CI/CD pipeline data. When a project administrator disables repository and CI/CD features, the expectation is that all related data becomes inaccessible. However, due to insufficient authorization checks, authenticated users can still query and retrieve information about previous pipeline jobs that were executed before these features were disabled.
Root Cause
The vulnerability originates from incomplete authorization checks in GitLab's pipeline job information retrieval functionality. When repository and CI/CD features are disabled on a project, the system fails to properly enforce access restrictions on historical pipeline data. The authorization logic appears to check only whether the user has general project access, rather than validating whether the specific CI/CD features are currently enabled and whether the user should have access to that particular type of data.
This represents a classic broken access control pattern where the application assumes that disabling a feature at the UI level is sufficient to prevent access, without implementing corresponding backend authorization checks.
Attack Vector
The attack is network-based and requires low-privilege authenticated access to the GitLab instance. An attacker with a valid GitLab account can exploit this vulnerability by making API requests or navigating to specific endpoints that return pipeline job information for projects they have some level of access to, even when CI/CD features are disabled.
The exploitation scenario involves:
- An attacker authenticates to the GitLab instance with a valid user account
- The attacker identifies target projects where repository and CI/CD features have been disabled
- Through direct API calls or specific URL navigation, the attacker queries for historical pipeline job data
- Due to the missing authorization check, the system returns pipeline job information that should be restricted
Since the vulnerability affects information disclosure rather than data modification or code execution, the attack does not require any user interaction and can be executed remotely over the network.
Detection Methods for CVE-2025-12555
Indicators of Compromise
- Unusual API requests to pipeline job endpoints for projects with disabled CI/CD features
- Access logs showing authenticated users querying CI/CD data on projects where they lack appropriate permissions
- Anomalous patterns of pipeline job information requests from single user accounts across multiple projects
- Requests to /api/v4/projects/:id/jobs or similar endpoints for projects with ci_cd_access_level set to disabled
Detection Strategies
- Monitor GitLab API access logs for requests to pipeline and job endpoints targeting projects with disabled features
- Implement alerting on access patterns where users query CI/CD endpoints for projects they have not recently contributed to
- Review audit logs for bulk retrieval of pipeline job information across multiple projects by single users
- Deploy web application firewall rules to flag suspicious API access patterns targeting CI/CD endpoints
Monitoring Recommendations
- Enable comprehensive GitLab audit logging for all API access to CI/CD-related endpoints
- Configure SIEM rules to correlate pipeline job access with project feature settings
- Establish baseline access patterns for CI/CD data and alert on deviations
- Regularly audit user access to projects with disabled repository and CI/CD features
How to Mitigate CVE-2025-12555
Immediate Actions Required
- Upgrade GitLab CE/EE instances to patched versions: 18.9.2, 18.8.6, or 18.7.6 immediately
- Review audit logs to identify any potential exploitation of this vulnerability prior to patching
- Assess which projects have disabled repository and CI/CD features and evaluate the sensitivity of their historical pipeline data
- Consider rotating any secrets or credentials that may have been exposed through pipeline job information
Patch Information
GitLab has released security patches addressing this vulnerability in the following versions:
| Branch | Patched Version |
|---|---|
| 18.9.x | 18.9.2 |
| 18.8.x | 18.8.6 |
| 18.7.x | 18.7.6 |
Organizations should upgrade to the appropriate patched version based on their current GitLab deployment. Detailed patch information is available in the GitLab Patch Release Announcement. Additional technical details can be found in GitLab Work Item #579126 and the HackerOne Report #3354642.
Workarounds
- If immediate patching is not possible, consider restricting API access through network-level controls or rate limiting
- Temporarily remove user access to projects containing sensitive pipeline job information where CI/CD has been disabled
- Implement additional monitoring on CI/CD API endpoints to detect and block suspicious access patterns
- Consider archiving or permanently deleting historical pipeline job data from sensitive projects with disabled CI/CD features
# Verify current GitLab version
gitlab-rake gitlab:env:info | grep "GitLab information"
# Check for projects with disabled CI/CD features
gitlab-rails runner "Project.where(ci_cd_access_level: 0).each { |p| puts \"#{p.id}: #{p.name}\" }"
# After upgrading, verify the patch was applied
gitlab-rake gitlab:check SANITIZE=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
