CVE-2025-9484 Overview
A sensitive information disclosure vulnerability has been identified in GitLab Enterprise Edition (EE) that allows authenticated users to access other users' email addresses through certain GraphQL queries. This vulnerability affects GitLab EE installations running versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3, potentially exposing private user information to unauthorized parties.
Critical Impact
Authenticated attackers can harvest email addresses of other GitLab users, enabling targeted phishing campaigns, social engineering attacks, and privacy violations across affected GitLab instances.
Affected Products
- GitLab Enterprise Edition versions 16.6 to 18.8.8
- GitLab Enterprise Edition versions 18.9.0 to 18.9.4
- GitLab Enterprise Edition versions 18.10.0 to 18.10.2
Discovery Timeline
- 2026-04-08 - CVE-2025-9484 published to NVD
- 2026-04-08 - GitLab releases security patch in versions 18.8.9, 18.9.5, and 18.10.3
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2025-9484
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), indicating that the affected GraphQL endpoints fail to properly verify whether the requesting user has sufficient permissions to access other users' email addresses. Under certain circumstances, the authorization checks that should protect user email information are bypassed, allowing any authenticated user to query and retrieve email addresses belonging to other users on the same GitLab instance.
The vulnerability resides in GitLab's GraphQL API implementation, which provides programmatic access to various GitLab resources. GraphQL queries that interact with user objects inadvertently expose email fields without adequate permission validation, creating an information disclosure pathway.
Root Cause
The root cause stems from missing authorization checks in specific GraphQL query handlers within GitLab EE. When processing certain user-related queries, the application fails to verify that the requesting user has the appropriate permissions to view private user attributes such as email addresses. This authorization gap allows the GraphQL resolver to return sensitive user data that should be protected by access controls.
Attack Vector
An attacker with valid authentication credentials to a GitLab EE instance can exploit this vulnerability by crafting specific GraphQL queries targeting user objects. The network-based attack requires low privileges (any authenticated user) and no user interaction, making exploitation straightforward for malicious insiders or compromised accounts.
The attack flow involves:
- Authenticating to the vulnerable GitLab instance
- Constructing GraphQL queries that request user email fields
- Iterating through user identifiers to harvest email addresses
- Using collected emails for subsequent attacks such as phishing or credential stuffing
Since no verified code examples are available for this vulnerability, technical details regarding specific query structures can be found in the HackerOne Report #3303810 and the GitLab Issue Discussion.
Detection Methods for CVE-2025-9484
Indicators of Compromise
- Unusual volume of GraphQL queries from individual user accounts targeting user-related endpoints
- Query patterns that systematically enumerate user identifiers or request email fields across multiple users
- Authentication logs showing repeated API access from accounts not typically interacting with the GraphQL API
- Data access logs indicating bulk retrieval of user profile information
Detection Strategies
- Implement GraphQL query logging and monitor for queries requesting email fields across multiple users
- Configure alerts for high-frequency GraphQL requests from single authenticated sessions
- Deploy API anomaly detection to identify unusual patterns in user data access
- Review GitLab application logs for GraphQL queries containing user email field selections
Monitoring Recommendations
- Enable detailed logging for GitLab GraphQL endpoints and retain logs for forensic analysis
- Establish baseline metrics for normal GraphQL query patterns per user and alert on deviations
- Monitor for bulk data extraction attempts through rate limiting thresholds on user-related queries
- Integrate GitLab audit logs with SIEM solutions for centralized visibility
How to Mitigate CVE-2025-9484
Immediate Actions Required
- Upgrade GitLab EE to patched versions: 18.8.9, 18.9.5, or 18.10.3 immediately
- Audit GraphQL access logs for signs of exploitation prior to patching
- Review accounts with elevated API access for suspicious query patterns
- Notify users if email harvesting is suspected to have occurred
Patch Information
GitLab has released security patches addressing this vulnerability in the following versions:
| Fixed Version | Release Date |
|---|---|
| 18.8.9 | 2026-04-08 |
| 18.9.5 | 2026-04-08 |
| 18.10.3 | 2026-04-08 |
For complete patch details and upgrade instructions, refer to the GitLab Patch Release Notes.
Workarounds
- Restrict GraphQL API access to trusted users or applications until patching is complete
- Implement network-level controls to limit API access from untrusted network segments
- Consider temporarily disabling public GraphQL introspection to reduce attack surface
- Deploy a Web Application Firewall (WAF) with rules to detect and block suspicious GraphQL query patterns
If immediate patching is not feasible, restrict API access by configuring GitLab's built-in rate limiting:
# Example: Configure GitLab rate limiting in gitlab.rb
# Adjust values based on your environment
gitlab_rails['rate_limit_requests_per_period'] = 60
gitlab_rails['rate_limit_period'] = 60
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
