Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with project membership to enumerate private group members due to missing authorization checks.
AnalysisAI
Private group member enumeration in GitLab CE/EE affects all versions from 15.1 through unfixed releases 18.9.6, 18.10.5, and 18.11.2, permitting any authenticated user holding project membership to discover the member list of an otherwise private group due to a missing authorization check (CWE-862). The flaw collapses GitLab's tiered permission boundary between project-level and group-level access, leaking organizational membership data to users who have no entitlement to view it. No public exploit has been identified at time of analysis, and an EPSS score of 0.01% (2nd percentile) reflects near-zero observed exploitation probability.
Technical ContextAI
GitLab CE and EE are self-hosted and SaaS Git repository platforms with a layered permission model in which group membership is a distinct access tier from project membership. CWE-862 (Missing Authorization) identifies the root cause: a code path returning private group membership data fails to enforce the policy check confirming the requester is entitled to view that resource. Specifically, a project member is not automatically entitled to enumerate the parent group's member list when that group is private, but the missing check allows this boundary to be crossed. CPE identifiers cpe:2.3:a:gitlab:gitlab covering both the Community Edition and Enterprise Edition across the affected version ranges are confirmed by NVD and EUVD-2026-30241, meaning the flaw is present in all deployment tiers including self-managed and GitLab.com-hosted instances.
RemediationAI
Upgrade to GitLab CE/EE version 18.9.7, 18.10.6, or 18.11.3 - vendor-released patches confirmed by the GitLab advisory published 2026-05-13 at https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/. Organizations unable to patch immediately should audit and tighten project membership rosters on projects linked to sensitive private groups, revoking access for external contributors or contractors who do not require it - this directly shrinks the set of accounts that can exploit the flaw, though it carries the operational trade-off of reducing collaboration access. Additionally, restricting the ability to add new project members on sensitive group-linked projects via GitLab's project settings reduces ongoing exposure. Note that neither workaround eliminates the vulnerability; patching to a fixed release is the only complete remediation.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30241
GHSA-c73g-r4cp-2xmg