CVE-2026-3160 Overview
CVE-2026-3160 is an access control vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw affects all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. An authenticated user can view Jira issues outside the configured project scope. The integration filter operates as a display control rather than enforcing access boundaries as specified. The weakness is classified under [CWE-441] (Unintended Proxy or Intermediary). GitLab issued patches in the 18.11.3 release on May 13, 2026.
Critical Impact
Authenticated GitLab users can bypass Jira project scope restrictions and view issues outside the boundaries set by administrators, leading to unintended information disclosure across integrated Jira projects.
Affected Products
- GitLab CE/EE versions 13.7 through 18.9.6
- GitLab CE/EE versions 18.10 through 18.10.5
- GitLab CE/EE versions 18.11 through 18.11.2
Discovery Timeline
- 2026-05-13 - GitLab releases security patch in version 18.11.3
- 2026-05-14 - CVE-2026-3160 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-3160
Vulnerability Analysis
The vulnerability resides in the GitLab Jira integration component. GitLab administrators can configure a project-scope filter that limits which Jira projects are exposed through the integration. The filter was implemented only at the presentation layer. The backend authorization logic did not enforce the same scope boundaries when serving Jira issue data to authenticated users.
An authenticated user with valid GitLab credentials can request Jira issues that fall outside the configured scope. The server returns the requested issue data because the access boundary check is missing. The attack is network-reachable and requires no user interaction beyond standard authenticated API calls.
The issue is tracked under CWE-441 because the GitLab instance acts as an intermediary that forwards requests to Jira without applying the documented access control policy.
Root Cause
The root cause is a missing authorization check in the Jira integration filter. The filter component was designed to hide out-of-scope issues from the user interface. Direct API queries and underlying data retrieval paths did not consult the same scope configuration. The display-layer control created a gap between policy specification and policy enforcement.
Attack Vector
An authenticated GitLab user issues a request for Jira issue data referencing a project outside the configured integration scope. The GitLab backend retrieves and returns the data because no enforcement layer rejects the out-of-scope request. The scope changes to a different security context, which matches the CVSS scope-changed indicator. Confidentiality of Jira issue content is the primary impact. No code execution, data modification, or service disruption is possible through this flaw.
The vulnerability mechanism is described in the GitLab Patch Release Announcement and GitLab Work Item Details.
Detection Methods for CVE-2026-3160
Indicators of Compromise
- Authenticated API requests to Jira integration endpoints referencing project keys outside the configured scope.
- Unusual volume of Jira issue lookup requests originating from low-privilege GitLab users.
- Audit log entries showing Jira integration queries that return issues from projects not listed in the integration configuration.
Detection Strategies
- Compare the Jira project keys referenced in GitLab access logs against the configured scope filter for each project integration.
- Alert on authenticated GitLab sessions that retrieve Jira issue identifiers belonging to projects the integration was not authorized to expose.
- Review GitLab audit events for repeated Jira integration calls from individual users within short time windows.
Monitoring Recommendations
- Forward GitLab production logs and audit events to a centralized log platform for correlation against Jira integration configuration data.
- Monitor for spikes in Jira API proxy traffic through GitLab instances during the exposure window before patching.
- Track user enumeration patterns where the same account queries multiple distinct Jira project keys.
How to Mitigate CVE-2026-3160
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.9.7, 18.10.6, or 18.11.3 depending on the deployed branch.
- Audit Jira integration configurations and review recent access logs for out-of-scope issue retrieval.
- Restrict the GitLab service account used to connect to Jira so that it can only access projects intended for integration.
Patch Information
GitLab released fixed versions 18.9.7, 18.10.6, and 18.11.3 on May 13, 2026. The patch enforces the Jira integration scope filter at the data access layer. Administrators running self-managed GitLab should plan an immediate upgrade. GitLab.com customers receive the fix automatically. See the GitLab Patch Release Announcement and the corresponding HackerOne Report #3566042 for additional context.
Workarounds
- Reduce the permissions of the Jira account used by the GitLab integration so that it cannot read projects outside the intended scope.
- Disable the Jira integration on affected GitLab projects until the upgrade is completed.
- Apply network-level controls between GitLab and Jira to limit which Jira projects the integration service account can reach.
# Verify the running GitLab version and plan an upgrade
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
# Example upgrade command for Omnibus GitLab on Debian/Ubuntu
sudo apt-get update && sudo apt-get install gitlab-ee=18.11.3-ee.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
