Skip to main content
CVE Vulnerability Database

CVE-2026-8472: GitLab EE Authorization Bypass Vulnerability

CVE-2026-8472 is an authorization bypass vulnerability in GitLab Enterprise Edition that allows authenticated users to access private project metadata. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-8472 Overview

CVE-2026-8472 is a missing authorization vulnerability [CWE-862] in GitLab Enterprise Edition (EE). The flaw allows an authenticated user with minimal access permissions to read work item metadata from private projects. GitLab EE versions 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 are affected. The root cause is a missing authorization check in the work items subsystem. GitLab has released patched versions that enforce proper access control on the affected endpoints.

Critical Impact

Authenticated low-privilege users can enumerate work item metadata from private GitLab projects they should not be able to access, resulting in confidentiality loss for project planning data.

Affected Products

  • GitLab EE 18.9 through versions before 18.11.7
  • GitLab EE 19.0 through versions before 19.0.4
  • GitLab EE 19.1 through versions before 19.1.2

Discovery Timeline

  • 2026-07-08 - CVE-2026-8472 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-8472

Vulnerability Analysis

CVE-2026-8472 is a Broken Access Control issue affecting the GitLab work items feature. Work items in GitLab represent planning artifacts such as issues, tasks, and epics, and they carry metadata including titles, labels, assignees, and state. The affected code paths did not verify whether the requesting user held sufficient project membership before returning work item metadata. As a result, users authenticated to the GitLab instance with only minimal permissions could query metadata that belongs to private projects. The vulnerability requires authentication and does not require user interaction, but it does not permit modification of data or impact availability.

Root Cause

The vulnerability stems from a missing authorization check [CWE-862] in the work item resolver logic. The affected endpoints returned metadata without validating the caller's role against the project's visibility settings. Private project data was therefore accessible to any authenticated user who could reach the endpoint, bypassing the intended project-level access control model.

Attack Vector

Exploitation is performed over the network against the GitLab API. An attacker only needs a valid authenticated session on the target GitLab instance and the identifier of a work item within a private project. Sending a crafted request to the vulnerable endpoint returns metadata that should be restricted to project members. No exploit code is publicly available, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog. Technical details are available in the GitLab Work Item Details and HackerOne Report #3615282.

Detection Methods for CVE-2026-8472

Indicators of Compromise

  • Unusual volume of GraphQL or REST API queries to /api/v4/projects/*/issues or work item endpoints from low-privilege accounts.
  • Access log entries showing authenticated users querying work item identifiers belonging to projects where they are not listed as members.
  • Sequential enumeration of work item IDs from a single session or token.

Detection Strategies

  • Correlate GitLab production_json.log and api_json.log entries against project membership tables to flag cross-project metadata reads.
  • Baseline normal work item query patterns per user role and alert on deviations that suggest enumeration.
  • Monitor GitLab audit events for repeated authorization-related lookups originating from accounts with Guest or minimal role assignments.

Monitoring Recommendations

  • Ingest GitLab application and API logs into a centralized logging platform with retention that covers the exposure window.
  • Enable GitLab audit events for API access and review them for anomalies against private projects.
  • Track the GitLab version currently deployed and alert on installations that remain below the patched releases.

How to Mitigate CVE-2026-8472

Immediate Actions Required

  • Upgrade GitLab EE to 18.11.7, 19.0.4, or 19.1.2 or later, depending on the deployed branch.
  • Review recent API access logs for signs of unauthorized work item metadata queries by low-privilege accounts.
  • Rotate or restrict personal access tokens belonging to accounts that showed anomalous work item access.

Patch Information

GitLab released fixed versions 18.11.7, 19.0.4, and 19.1.2 that add the missing authorization checks to the work items code path. Refer to the GitLab Patch Release Notes for upgrade procedures and hash verification.

Workarounds

  • Restrict account creation and disable self-registration to reduce the pool of authenticated attackers on internet-facing instances.
  • Apply network-level access controls to the GitLab API so that only trusted networks can reach work item endpoints until patches are deployed.
  • Audit and reduce the number of accounts holding minimal-but-authenticated roles that do not require project visibility.
bash
# Verify installed GitLab version and upgrade using the official package
sudo gitlab-rake gitlab:env:info | grep -i version
sudo apt-get update && sudo apt-get install --only-upgrade gitlab-ee
sudo gitlab-ctl reconfigure && sudo gitlab-ctl restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.