Skip to main content
CVE Vulnerability Database

CVE-2026-7492: GitLab Information Disclosure Vulnerability

CVE-2026-7492 is an information disclosure vulnerability in GitLab CE/EE allowing unauthenticated users to detect private projects through improper authorization controls. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-7492 Overview

CVE-2026-7492 is a missing authorization vulnerability [CWE-862] in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw affects all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2. Improper authorization checks on cross-project reference pages allow an authenticated low-privileged user to determine whether a private project exists.

The issue is a confidentiality-only information disclosure. It does not permit access to project contents, modification of data, or service disruption. GitLab remediated the issue in patch release 19.1.2 and backported fixes to 18.11.7 and 19.0.4.

Critical Impact

Attackers can enumerate the existence of private GitLab projects across a tenant, exposing project naming conventions and internal repository structure that support targeted follow-on attacks.

Affected Products

  • GitLab CE/EE versions 9.1 through 18.11.6
  • GitLab CE/EE versions 19.0 through 19.0.3
  • GitLab CE/EE versions 19.1 through 19.1.1

Discovery Timeline

  • 2026-07-08 - CVE-2026-7492 published to the National Vulnerability Database (NVD)
  • 2026-07-08 - Last updated in NVD database
  • 2026-07-09 - Exploit Prediction Scoring System (EPSS) data published

Technical Details for CVE-2026-7492

Vulnerability Analysis

The vulnerability resides in GitLab's cross-project reference handling. Cross-project references allow users to link issues, merge requests, or commits across projects using shorthand syntax such as group/project#123. The rendering path for these references failed to enforce authorization consistently.

When an unauthorized user requested a page containing a reference to a private project, GitLab returned differential responses. The response signaled whether the target project existed, even though the requester had no permission to view it. This behavior violates the principle that non-existent and unauthorized resources should be indistinguishable.

The flaw is classified under [CWE-862] Missing Authorization. It is limited to disclosure of project existence and does not expose issue titles, source code, or member data. The attacker must hold a valid low-privileged account, per the CVSS vector requirement of PR:L.

Root Cause

The root cause is an authorization check omitted from the code path that resolves cross-project references during page rendering. The reference resolver queried project metadata without first verifying that the requesting user held the read_project permission on the referenced target.

Attack Vector

An authenticated attacker crafts a page or comment containing a cross-project reference targeting a suspected private project path. Rendering behavior or response metadata reveals whether the referenced project exists. The attacker iterates across candidate names to enumerate private projects belonging to other groups or users. Full technical details are tracked in GitLab Work Item #597947 and HackerOne Report #3704739.

Detection Methods for CVE-2026-7492

Indicators of Compromise

  • Repeated requests to reference-rendering endpoints containing varied namespace/project path fragments from a single authenticated session
  • Elevated volumes of 200 versus 404 response pairs correlated to project reference lookups in GitLab access logs
  • Comment or issue creation activity that includes cross-project references to namespaces the user does not belong to

Detection Strategies

  • Parse GitLab production_json.log for Projects::RefsController and reference resolution controllers, flagging users generating high-cardinality project path queries
  • Baseline normal cross-project reference activity per user and alert on statistical outliers
  • Correlate reference-rendering requests with the requesting user's group membership to identify probing patterns

Monitoring Recommendations

  • Forward GitLab application and audit logs to a centralized analytics platform for retention and correlation
  • Track authentication events alongside API request patterns to identify accounts exhibiting enumeration behavior
  • Review GitLab audit events for creation of references to projects outside the user's accessible namespaces

How to Mitigate CVE-2026-7492

Immediate Actions Required

  • Upgrade self-managed GitLab instances to 18.11.7, 19.0.4, or 19.1.2 immediately
  • Audit user accounts and revoke tokens for accounts exhibiting enumeration patterns
  • Verify GitLab.com Dedicated tenants have received the patched release from GitLab

Patch Information

GitLab released fixes in versions 18.11.7, 19.0.4, and 19.1.2. Details are documented in the GitLab Patch Release 19.1.2 announcement. Administrators of self-managed instances should apply the patch through the standard package upgrade path and validate the running version with gitlab-rake gitlab:env:info.

Workarounds

  • Restrict account creation and disable public sign-up on self-managed instances to reduce the pool of authenticated attackers
  • Enforce group-level visibility controls and review project path naming conventions that reveal sensitive context
  • Apply web application firewall rules to rate-limit repeated cross-project reference lookups per authenticated session
bash
# Verify installed GitLab version after patching
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5

# Debian/Ubuntu upgrade example
sudo apt-get update && sudo apt-get install gitlab-ee=19.1.2-ee.0

# RHEL/CentOS upgrade example
sudo yum install gitlab-ee-19.1.2-ee.0.el8.x86_64

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.