CVE-2025-4976 Overview
CVE-2025-4976 is an information disclosure vulnerability in GitLab Enterprise Edition (EE). The flaw affects GitLab Duo, the AI-assisted development feature. Under specific circumstances, an attacker can retrieve internal notes through GitLab Duo responses. Internal notes are intended to remain visible only to project members with elevated permissions.
The issue impacts GitLab EE versions 17.0 through 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1. GitLab classifies the finding under [CWE-213] Exposure of Sensitive Information Due to Incompatible Policies. The vulnerability was reported through the HackerOne coordinated disclosure program.
Critical Impact
An unauthenticated network-based attacker can access confidential internal notes surfaced through GitLab Duo AI responses, exposing sensitive project discussions.
Affected Products
- GitLab Enterprise Edition 17.0 through 18.0.4
- GitLab Enterprise Edition 18.1 before 18.1.3
- GitLab Enterprise Edition 18.2 before 18.2.1
Discovery Timeline
- 2025-07-24 - CVE-2025-4976 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-4976
Vulnerability Analysis
GitLab Duo integrates generative AI into GitLab workflows to summarize issues, merge requests, and discussions. The vulnerability stems from insufficient access control checks when Duo aggregates context for its responses. Duo pulls content from associated resources without consistently enforcing the confidentiality flag on internal notes.
Internal notes are a GitLab feature that restricts comment visibility to project members with at least Reporter role. When Duo generates a response, the affected code paths included internal note content in the model context. This content then surfaced in AI output visible to users who lacked authorization to view the original notes.
The result is a confidentiality boundary violation. The integrity and availability of the system remain unaffected, but sensitive project discussions, security triage details, and internal review comments become readable through the AI interface.
Root Cause
The root cause is inconsistent authorization enforcement between the traditional GitLab UI and the Duo AI context builder. The UI correctly filters internal notes based on user role. The Duo context assembly logic did not apply the same visibility policy before passing note contents to the language model.
Attack Vector
Exploitation requires an attacker with network access to a GitLab instance running the vulnerable Duo integration. The attacker prompts Duo to summarize or discuss an issue, merge request, or epic that contains internal notes. The model output returns text derived from those notes, disclosing information the requesting user should not see. No authentication or user interaction beyond the standard Duo prompt is required in the vulnerable configurations.
No verified public proof-of-concept code is available. Technical details are documented in the GitLab Issue Report and the corresponding HackerOne Security Report.
Detection Methods for CVE-2025-4976
Indicators of Compromise
- GitLab Duo API requests followed by user access to issues or merge requests they lack permission to view directly
- Audit log entries showing Duo responses containing text that matches internal note content
- Anomalous prompt patterns targeting specific issue IDs or merge request IDs known to contain internal notes
Detection Strategies
- Correlate GitLab production logs for duo_chat and ai_gateway requests against user role assignments for the referenced resources
- Review the audit_events table for read operations on internal notes that occur outside of standard UI navigation flows
- Compare GitLab version strings reported by /help or the /api/v4/version endpoint against the patched releases 18.0.5, 18.1.3, and 18.2.1
Monitoring Recommendations
- Enable verbose logging on the GitLab AI Gateway and forward events to a centralized SIEM for retention and correlation
- Alert on Duo response volumes that exceed baseline for individual users, which may indicate scraping activity
- Track GitLab instance versions across the fleet to confirm timely patching of Duo-enabled deployments
How to Mitigate CVE-2025-4976
Immediate Actions Required
- Upgrade GitLab EE to version 18.0.5, 18.1.3, 18.2.1, or later as prescribed by the vendor advisory
- Audit recent Duo interactions for exposure of internal notes and notify affected project owners
- Restrict Duo access to trusted user groups while patching is in progress
Patch Information
GitLab has released fixed versions 18.0.5, 18.1.3, and 18.2.1 that enforce internal note visibility rules in the Duo context builder. Self-managed customers must apply the upgrade through their standard package or Helm chart update process. GitLab.com SaaS instances have been patched by the vendor. Consult the GitLab Issue Report for the fix commit references.
Workarounds
- Disable the GitLab Duo feature in the Admin Area under Settings > General > AI-powered features until the upgrade is complete
- Remove sensitive content from internal notes on active projects and use protected channels for confidential discussions
- Limit Duo seat assignments to a small pilot group of trusted maintainers during the mitigation window
# Disable GitLab Duo globally via Rails console on self-managed instances
sudo gitlab-rails runner "Ai::Setting.instance.update!(duo_features_enabled: false)"
# Verify current GitLab version
sudo gitlab-rake gitlab:env:info | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

