CVE-2026-8472 in GitLabinfo

Summary

by MITRE • 07/09/2026

GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to missing authorization checks.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability represents a critical authorization bypass flaw in GitLab Enterprise Edition that affected multiple version streams including 18.9.x through 18.11.6, 19.0.x through 19.0.3, and 19.1.x through 19.1.1. The issue stems from insufficient access control validation within the work item management system where authenticated users with minimal permissions could potentially extract metadata from private projects that should have been restricted to authorized personnel only. This represents a direct violation of the principle of least privilege and demonstrates a fundamental failure in the authorization framework governing project-level resources.

The technical implementation flaw manifests in the work item metadata retrieval mechanisms where the system failed to properly validate user permissions before exposing sensitive information about project work items. This type of vulnerability aligns with CWE-285, which categorizes improper authorization issues within software systems, and specifically relates to the failure to enforce access controls at the data level. The flaw likely occurred in the API endpoint handling work item queries or in the backend service responsible for retrieving project metadata, where the authorization check was either omitted entirely or bypassed under specific conditions.

The operational impact of this vulnerability extends beyond simple information disclosure as it could enable malicious actors with minimal access rights to gather intelligence about private projects including work item titles, descriptions, assignees, and potentially timelines. This metadata exposure could facilitate further attacks by providing attackers with insights into project structures, team compositions, and development priorities that might otherwise remain hidden. From an attacker perspective, this vulnerability maps to ATT&CK technique T1213.002 for Data from Information Repositories, as it allows unauthorized access to repository data through legitimate system interfaces.

Organizations utilizing affected GitLab versions should immediately implement mandatory upgrades to the patched releases while conducting comprehensive access control reviews of their project configurations and user permissions. The remediation process requires careful monitoring of audit logs to identify any potential exploitation attempts and implementation of additional logging for work item metadata access patterns. Security teams should also consider implementing network-level controls or API rate limiting to detect anomalous access patterns that might indicate exploitation attempts, while ensuring that all users maintain appropriate permission levels consistent with their roles within the organization's security framework.

Responsible

GitLab

Reservation

05/13/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!