CVE-2025-14103 Overview
CVE-2025-14103 is a missing authorization vulnerability [CWE-862] in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw lets a user with Developer-role permissions set pipeline variables for manually triggered jobs under specific conditions, which should be restricted to higher-privileged roles.
The issue affects GitLab CE/EE versions 17.7 through 18.7.4, 18.8 through 18.8.4, and 18.9.0. GitLab released patches in 18.7.5, 18.8.5, and 18.9.1 on February 25, 2026. The vulnerability requires authenticated access and yields limited integrity impact without affecting confidentiality or availability.
Critical Impact
An authenticated Developer-role user can override pipeline variables on manually triggered jobs, potentially altering CI/CD behavior, build outputs, or environment-dependent logic.
Affected Products
- GitLab CE/EE versions 17.7 through 18.7.4
- GitLab CE/EE versions 18.8 through 18.8.4
- GitLab CE/EE version 18.9.0
Discovery Timeline
- 2026-02-25 - GitLab releases patch versions 18.7.5, 18.8.5, and 18.9.1
- 2026-02-25 - CVE-2025-14103 published to NVD
- 2026-02-27 - Last updated in NVD database
Technical Details for CVE-2025-14103
Vulnerability Analysis
The vulnerability resides in GitLab's CI/CD pipeline authorization logic for manually triggered jobs. Pipeline variables let users inject runtime configuration values into jobs, such as environment names, deployment targets, or build flags. GitLab's permission model restricts who can set these variables based on project role.
Under normal conditions, only Maintainer or Owner roles should set or override pipeline variables on manual jobs. The Developer role is intentionally limited to prevent privilege escalation through CI/CD execution context. This boundary breaks down under certain conditions described in the GitLab advisory.
A Developer-role user can supply variables that influence job execution. The impact remains constrained to integrity because pipelines run within their existing permission boundaries. However, manipulated variables can alter deployment behavior, redirect artifact destinations, or bypass workflow controls that rely on variable-driven logic.
Root Cause
The root cause is a missing authorization check [CWE-862] in the manual job trigger code path. GitLab failed to fully validate that the caller's role permitted setting pipeline variables for the specific trigger context. The check existed for standard pipeline creation but was incomplete for manually triggered job variants.
Attack Vector
An authenticated attacker with Developer access to a GitLab project triggers a manual CI/CD job. During the trigger request, the attacker supplies pipeline variables through the API or UI. Without the authorization check, GitLab accepts these variables and injects them into the job environment. Technical details are available in the GitLab Issue Discussion and HackerOne Report #3448317.
Detection Methods for CVE-2025-14103
Indicators of Compromise
- Manual job triggers from Developer-role accounts that include unexpected pipeline variable overrides in audit logs.
- CI/CD pipeline runs where job environment variables differ from project-defined defaults without corresponding Maintainer approval.
- Unusual deployment targets, artifact paths, or build flags appearing in jobs initiated by Developer-role users.
Detection Strategies
- Review GitLab audit events for the ci_variable and manual job trigger event types, correlating with the actor's project role at the time of action.
- Compare pipeline variable payloads between API calls and project configuration to identify unauthorized overrides.
- Alert on manual job executions where the triggering user holds Developer permissions and the job includes user-supplied variables.
Monitoring Recommendations
- Forward GitLab audit and CI/CD logs to a centralized log analytics platform for retention and correlation.
- Establish a baseline of normal pipeline variable usage per project to make anomalous overrides easier to flag.
- Monitor for outbound network connections and artifact uploads originating from runners executing manually triggered jobs.
How to Mitigate CVE-2025-14103
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.7.5, 18.8.5, or 18.9.1 depending on your current release branch.
- Audit recent manual job executions triggered by Developer-role users for unauthorized variable overrides.
- Review project membership and reduce Developer-role assignments where elevated permissions are not required.
Patch Information
GitLab addressed the vulnerability in the February 25, 2026 patch release. Apply version 18.7.5, 18.8.5, or 18.9.1 per the GitLab Patch Release Note. GitLab.com instances were patched by the vendor; self-managed instances require administrator action.
Workarounds
- Restrict the use of manual job triggers in .gitlab-ci.yml for projects where Developer-role users are present until patching is complete.
- Enforce protected variables and protected branches so sensitive CI/CD values cannot be overridden at runtime.
- Require Maintainer or Owner review for any pipeline definition changes that introduce manual job stages.
# Verify GitLab version and upgrade on a self-managed instance
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
# Debian/Ubuntu upgrade example
sudo apt-get update
sudo apt-get install gitlab-ee=18.9.1-ee.0
# RHEL/CentOS upgrade example
sudo yum install gitlab-ee-18.9.1-ee.0.el8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
