CVE-2026-4524 Overview
GitLab patched an authorization flaw in GitLab Community Edition (CE) and Enterprise Edition (EE) that exposed confidential issue content in public projects. The vulnerability stems from improper authorization checks [CWE-288] and allows an authenticated user to read confidential issue data without holding the required permissions. The flaw affects all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. GitLab released fixed versions on May 13, 2026 through a coordinated patch release.
Critical Impact
Authenticated attackers can read confidential issue content in public GitLab projects, exposing sensitive engineering, security, or business information intended for restricted audiences.
Affected Products
- GitLab CE/EE versions 18.9.1 through 18.9.6
- GitLab CE/EE versions 18.10 through 18.10.5
- GitLab CE/EE versions 18.11 through 18.11.2
Discovery Timeline
- 2026-05-13 - GitLab releases patch versions 18.9.7, 18.10.6, and 18.11.3
- 2026-05-14 - CVE-2026-4524 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-4524
Vulnerability Analysis
The vulnerability is a broken access control issue affecting GitLab's handling of confidential issues within public projects. Confidential issues are designed to restrict visibility to project members with sufficient role permissions, typically Reporter or above. The authorization layer failed to fully enforce this restriction, allowing any authenticated GitLab user to retrieve confidential issue content from public projects they could browse.
The attack requires network access to the GitLab instance and a valid authenticated session. No user interaction is needed beyond standard API or web requests. Exploitation impacts confidentiality only — attackers cannot modify issue content or disrupt availability through this flaw.
Confidential issues frequently contain undisclosed security vulnerabilities, internal incident details, customer information, or sensitive business logic. Exposure of this data on self-managed or GitLab.com-hosted public projects can lead to disclosure of pre-patch vulnerabilities and other sensitive engineering material.
Root Cause
The root cause is an authentication-related authorization weakness classified under [CWE-288] (Authentication Bypass Using an Alternate Path or Channel). GitLab's permission check for confidential issues in public project contexts did not validate the requester's role against the confidential-access policy under all access paths.
Attack Vector
An authenticated attacker queries confidential issues belonging to a public project through GitLab's API or web interface. Because the authorization check is incomplete, the server returns the protected issue data instead of rejecting the request. The attacker requires only a standard low-privilege user account on the target instance.
No verified proof-of-concept exploit has been published. Technical details are tracked in the GitLab Work Item #594295 and the HackerOne Report #3597717.
Detection Methods for CVE-2026-4524
Indicators of Compromise
- Unusual volume of GET requests to /api/v4/projects/:id/issues endpoints with confidential=true filters originating from low-privilege user tokens.
- Access log entries showing authenticated users retrieving confidential issue IDs in public projects where the user is not a member.
- Anomalous personal access token (PAT) activity enumerating issues across many unrelated public projects.
Detection Strategies
- Review GitLab audit events and application logs for Issue read events where the actor lacks Reporter-level membership on the target project.
- Correlate API request patterns against user role assignments to identify access attempts inconsistent with project membership.
- Hunt for token-driven scraping behavior using rate-based heuristics on the issues API.
Monitoring Recommendations
- Forward GitLab production logs and audit events to a centralized analytics platform and alert on confidential issue reads by non-members.
- Track personal access token usage by scope and enforce expiry rotation for tokens with broad api scope.
- Baseline normal issue-API request volume per user and alert on deviations indicative of enumeration.
How to Mitigate CVE-2026-4524
Immediate Actions Required
- Upgrade self-managed GitLab CE/EE to 18.9.7, 18.10.6, or 18.11.3 immediately based on installed release branch.
- Audit recent access to confidential issues in public projects and identify any unauthorized reads.
- Rotate personal access tokens and session credentials for accounts showing suspicious issue-enumeration activity.
Patch Information
GitLab released versions 18.9.7, 18.10.6, and 18.11.3 on May 13, 2026 to remediate this issue. GitLab.com was patched by the vendor. Self-managed administrators should follow the standard upgrade procedure documented in the GitLab Patch Release Announcement.
Workarounds
- Set affected projects to private visibility until the patch is applied to prevent unauthenticated discovery of project resources.
- Move highly sensitive confidential issues to a separate private project with restricted membership.
- Restrict personal access token creation and reduce token scopes for general users to limit programmatic enumeration.
# Example: verify installed GitLab version and upgrade on Omnibus
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
sudo apt-get update && sudo apt-get install gitlab-ee=18.11.3-ee.0
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
