CVE-2026-8144 Overview
CVE-2026-8144 is a missing authorization vulnerability [CWE-862] in GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw affects all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. An authenticated user holding project membership can enumerate members of private groups because authorization checks are not enforced on the relevant endpoint. The issue impacts confidentiality only and does not require user interaction.
Critical Impact
Authenticated users with project membership can enumerate private group members, exposing organizational structure and identity information that should remain restricted.
Affected Products
- GitLab CE/EE versions 15.1 through 18.9.6
- GitLab CE/EE versions 18.10 through 18.10.5
- GitLab CE/EE versions 18.11 through 18.11.2
Discovery Timeline
- 2026-05-13 - GitLab releases patch release 18.11.3 addressing the issue
- 2026-05-14 - CVE-2026-8144 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-8144
Vulnerability Analysis
The vulnerability is a broken access control issue mapped to [CWE-862] Missing Authorization. GitLab exposes endpoints that return group membership data, but the affected code paths do not verify that the requesting user has permission to view private group composition. Any authenticated user who holds membership in a single project linked to a private group can query the endpoint and receive a list of that group's members.
The attack vector is network-based, requires low privileges, and does not require user interaction. Impact is limited to confidentiality of group membership information. The flaw does not enable modification of data or denial of service.
The exposed information includes user identifiers and account names within otherwise-private groups. While this is not credential disclosure, attackers can use the data to map organizational hierarchy, identify administrators, and prepare targeted phishing or social engineering campaigns against named individuals.
Root Cause
The root cause is a missing authorization check on a group member listing operation. The code returns membership data based on object existence rather than evaluating whether the requesting principal has the required group-level visibility permission. Project membership was treated as sufficient context for the request.
Attack Vector
An attacker authenticates to GitLab using any valid account that holds membership in at least one project associated with a target private group. The attacker then issues a request to the affected member enumeration endpoint and receives the private group's member roster. Refer to the GitLab Patch Release Announcement and the GitLab Work Item Details for vendor technical context.
Detection Methods for CVE-2026-8144
Indicators of Compromise
- Repeated authenticated requests from a single user account against group member listing API endpoints across multiple group identifiers.
- Access patterns where a low-privileged project member queries groups they have no direct membership in.
- Anomalous enumeration sequences iterating through sequential group IDs within short time windows.
Detection Strategies
- Review GitLab production audit logs for groups/:id/members API calls correlated with the requesting user's permission scope.
- Baseline normal API access patterns per user role and alert on deviations indicating systematic enumeration.
- Correlate authentication events with subsequent group membership API calls to identify reconnaissance behavior.
Monitoring Recommendations
- Forward GitLab application and audit logs to a centralized logging platform for retention and query at scale.
- Build dashboards tracking per-user API call volume against group and member endpoints.
- Alert on accounts that query disproportionate numbers of group resources relative to their assigned projects.
How to Mitigate CVE-2026-8144
Immediate Actions Required
- Upgrade GitLab CE/EE to version 18.9.7, 18.10.6, or 18.11.3 depending on your current major release branch.
- Audit historical access logs for evidence of group member enumeration from low-privileged accounts since 15.1 deployment.
- Review and tighten project-to-group associations to limit which users qualify as project members of sensitive private groups.
Patch Information
GitLab released fixed versions 18.9.7, 18.10.6, and 18.11.3 on 2026-05-13. Self-managed instances should follow the upgrade guidance in the GitLab Patch Release Announcement. GitLab.com SaaS instances are patched by the vendor.
Workarounds
- No official workaround is published; upgrading to a fixed release is the recommended remediation.
- Where immediate patching is not feasible, restrict project membership in projects linked to sensitive private groups to trusted users only.
- Monitor API access logs for enumeration patterns until patching is complete.
# Verify installed GitLab version after upgrade
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
# Debian/Ubuntu upgrade example to a fixed release
sudo apt-get update
sudo apt-get install gitlab-ee=18.11.3-ee.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
