Arbitrary Access Vulnerability in GitLab EE Service Desk Email Templates
CVE-2023-5600

3.1LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 20 June 2025

What is CVE-2023-5600?

A security flaw in GitLab EE has been identified that allows unauthorized access to the titles of private references through the service desk custom email template. This vulnerability affects multiple versions, notably those between 16.0 to 16.3.5, 16.4 to 16.4.1, and 16.5 to 16.5.0. When exploited, it could potentially expose sensitive information that was not intended for public viewing, highlighting the importance of addressing permissions within custom email functionalities.

Affected Version(s)

GitLab 16.0 < 16.3.6

GitLab 16.4 < 16.4.2

GitLab 16.5 < 16.5.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/428268

issue-trackingpermissions-required

https://hackerone.com/reports/2209702

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2025
Vulnerability Reserved
Oct 16, 2023

Credit

Thanks [yvvdwf](https://hackerone.com/yvvdwf) for reporting this vulnerability through our HackerOne bug bounty program