Skip to main content

GitLab CVE-2026-8144

| EUVDEUVD-2026-30241 MEDIUM
Missing Authorization (CWE-862)
2026-05-14 cve@gitlab.com GHSA-c73g-r4cp-2xmg
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 11:09 vuln.today
Patch available
May 14, 2026 - 07:16 EUVD

DescriptionCVE.org

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with project membership to enumerate private group members due to missing authorization checks.

AnalysisAI

Private group member enumeration in GitLab CE/EE affects all versions from 15.1 through unfixed releases 18.9.6, 18.10.5, and 18.11.2, permitting any authenticated user holding project membership to discover the member list of an otherwise private group due to a missing authorization check (CWE-862). The flaw collapses GitLab's tiered permission boundary between project-level and group-level access, leaking organizational membership data to users who have no entitlement to view it. No public exploit has been identified at time of analysis, and an EPSS score of 0.01% (2nd percentile) reflects near-zero observed exploitation probability.

Technical ContextAI

GitLab CE and EE are self-hosted and SaaS Git repository platforms with a layered permission model in which group membership is a distinct access tier from project membership. CWE-862 (Missing Authorization) identifies the root cause: a code path returning private group membership data fails to enforce the policy check confirming the requester is entitled to view that resource. Specifically, a project member is not automatically entitled to enumerate the parent group's member list when that group is private, but the missing check allows this boundary to be crossed. CPE identifiers cpe:2.3:a:gitlab:gitlab covering both the Community Edition and Enterprise Edition across the affected version ranges are confirmed by NVD and EUVD-2026-30241, meaning the flaw is present in all deployment tiers including self-managed and GitLab.com-hosted instances.

RemediationAI

Upgrade to GitLab CE/EE version 18.9.7, 18.10.6, or 18.11.3 - vendor-released patches confirmed by the GitLab advisory published 2026-05-13 at https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/. Organizations unable to patch immediately should audit and tighten project membership rosters on projects linked to sensitive private groups, revoking access for external contributors or contractors who do not require it - this directly shrinks the set of accounts that can exploit the flaw, though it carries the operational trade-off of reducing collaboration access. Additionally, restricting the ability to add new project members on sensitive group-linked projects via GitLab's project settings reduces ongoing exposure. Note that neither workaround eliminates the vulnerability; patching to a fixed release is the only complete remediation.

More in Gitlab

View all
CVE-2023-7028 CRITICAL POC
10.0 Jan 12

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.

CVE-2013-4490 MEDIUM POC
6.5 May 13

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x

CVE-2021-22205 CRITICAL POC
10.0 Apr 23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10

CVE-2022-2992 CRITICAL POC
9.9 Oct 17

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-1162 CRITICAL POC
9.8 Apr 04

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)

CVE-2022-0735 CRITICAL POC
9.8 Mar 28

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star

CVE-2021-22175 CRITICAL POC
9.8 Jun 11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af

CVE-2021-22203 CRITICAL POC
9.8 Apr 02

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta

CVE-2019-15741 CRITICAL POC
9.8 Sep 16

An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2019-6960 CRITICAL POC
9.8 Sep 09

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6

Share

CVE-2026-8144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy