GitLab EE API Bypass Vulnerability for Issue Update Disclosures to Banned Group Members

Vulnerability

A vulnerability exists in GitLab EE versions 15.2 prior to 16.9.7, 16.10 prior to 16.10.5, and 16.11 prior to 16.11.2. This issue allows banned group members to access updates on issues through the API, circumventing their restricted status.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of issue updates to banned group members via the API.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GitLab EE API Bypass Vulnerability for Issue Update Disclosures to Banned Group Members

Vulnerability

Impact

Affected Products

GitLab

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating