Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Reporter-level group membership is required (PR:L); only package metadata is exposed with no integrity or availability impact, so C:L and I:N/A:N.
Primary rating from Vendor (gitlab).
CVSS VectorVendor: gitlab
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.
AnalysisAI
Incorrect authorization in GitLab CE/EE's group packages feature exposes package metadata from projects where the Package Registry has been explicitly disabled, allowing any authenticated Reporter-level group member to enumerate package names, versions, and publish timestamps that project owners intended to restrict. The flaw spans a very wide version range - all 13.6+ releases up to the newly-issued fixes in 18.11.6, 19.0.3, and 19.1.1 - meaning a large proportion of self-hosted GitLab deployments are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the attacker must hold an authenticated GitLab account with at minimum Reporter-level permissions on the target group (CVSS PR:L confirms authentication is required - unauthenticated or Guest-level users cannot exploit this); (2) the target group must contain at least one project that has the Package Registry feature explicitly disabled at the project settings level; and (3) the attacker must access the group-level packages endpoint rather than the individual project endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.3 Medium score is well-calibrated for this issue: PR:L confirms authentication is required (limiting the attacker pool to existing group members), the scope is unchanged (S:U), and impact is bounded to low confidentiality (C:L) with no integrity or availability dimension. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated GitLab user who holds Reporter-level membership in a group queries the group-level packages API endpoint; the endpoint returns package metadata - including package names, version numbers, and publish timestamps - from one or more member projects that have explicitly disabled their Package Registry, bypassing the per-project restriction the project owner configured. Because no POC has been identified and AC:L/PR:L apply, a knowledgeable insider or low-privileged group member could perform this passively without triggering unusual activity patterns. |
| Remediation | Upgrade GitLab CE/EE to a patched release: 18.11.6 for deployments on the 18.x branch, 19.0.3 for the 19.0 branch, or 19.1.1 for the 19.1 branch, as documented in the patch release advisory at https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.
The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x
An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10
A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)
An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star
When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is
An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39174
GHSA-v93g-p6q6-9wwq