CVE-2025-13874 Overview
GitLab patched an authorization flaw in GitLab Community Edition (CE) and Enterprise Edition (EE) that exposed issue data to users without proper permissions. The vulnerability affects all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. An authenticated user with Guest permissions could view issues in projects they were not authorized to access. The flaw is tracked as [CWE-639] Authorization Bypass Through User-Controlled Key.
Critical Impact
Authenticated Guest-level users can read issue content from restricted projects, exposing potentially sensitive engineering, security, or business information stored in issue trackers.
Affected Products
- GitLab CE/EE versions 15.1 through 18.9.6
- GitLab CE/EE versions 18.10 through 18.10.5
- GitLab CE/EE versions 18.11 through 18.11.2
Discovery Timeline
- 2026-05-13 - GitLab releases patch versions 18.9.7, 18.10.6, and 18.11.3
- 2026-05-14 - CVE-2025-13874 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2025-13874
Vulnerability Analysis
The vulnerability resides in GitLab's authorization logic governing issue visibility. GitLab enforces a role-based permission model where Guest users have restricted read access to project resources. The flawed authorization check allowed Guest-level accounts to retrieve issue records belonging to projects outside their assigned membership scope.
The issue is categorized as an Insecure Direct Object Reference (IDOR) under [CWE-639]. Authorization Bypass Through User-Controlled Key occurs when an application uses a client-supplied identifier to fetch a resource without re-validating the requester's right to access that specific object. The attack requires only low privileges and operates over the network without user interaction.
Confidentiality of issue contents, including descriptions, comments, attachments, and metadata, can be compromised. Integrity and availability of the affected projects are not impacted by this flaw.
Root Cause
The root cause is a missing or incomplete authorization check on the code path that returns issue data. The handler relied on the user's authenticated session and an object identifier but did not verify that the requester held adequate membership or visibility on the parent project. This allowed cross-project access using direct object references.
Attack Vector
An attacker authenticates to a GitLab instance with any account that holds Guest permissions on at least one project. The attacker then issues requests referencing issue identifiers belonging to projects where they have no membership. The server returns issue contents that should be restricted to project members. Refer to the GitLab Work Item #582634 and the HackerOne Security Report #3445398 for additional technical context.
No public exploit code is available. The vulnerability mechanism is described in prose; no verified proof-of-concept has been published.
Detection Methods for CVE-2025-13874
Indicators of Compromise
- Repeated authenticated API requests to /api/v4/projects/:id/issues/:iid or GraphQL issue queries from Guest-tier accounts targeting project IDs outside their membership
- Anomalous enumeration patterns where a single user session iterates through sequential issue or project identifiers
- Audit log entries showing successful issue reads by accounts that lack explicit project membership
Detection Strategies
- Review GitLab production logs (production_json.log and api_json.log) for high-volume issue lookups originating from low-privilege users
- Correlate authentication events with project membership state to flag access to issues in non-member projects
- Hunt for GraphQL queries requesting issue nodes by global ID from accounts without corresponding project roles
Monitoring Recommendations
- Enable and centralize GitLab audit events for issue access where available in your edition
- Forward GitLab application and API logs to a SIEM and build alerting on cross-project access patterns by Guest accounts
- Periodically reconcile Guest account activity against project membership rosters to identify unexpected reads
How to Mitigate CVE-2025-13874
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.11.3, 18.10.6, or 18.9.7 as appropriate for your release branch
- Audit recent issue access logs for unauthorized reads by Guest-tier accounts prior to patching
- Review and reduce the number of Guest-level accounts on instances exposed to untrusted users
Patch Information
GitLab released fixed builds on 2026-05-13. See the GitLab Patch Release Note for the complete advisory and download links. Self-managed administrators should follow the standard upgrade path for their installation method (Omnibus, Helm, Docker, or source).
Workarounds
- No vendor-supplied workaround exists; upgrading is the supported remediation
- As a temporary risk-reduction measure, restrict Guest account creation and remove Guest membership from accounts that do not require it
- Consider setting affected projects to higher visibility restrictions and limiting public sign-up until patches are applied
# Verify GitLab version after upgrade
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
# Omnibus upgrade example (Debian/Ubuntu)
sudo apt-get update
sudo apt-get install gitlab-ee=18.11.3-ee.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
