Unauthenticated Access Issue in GitLab CE/EE Products
CVE-2025-2246

5.8MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 27 August 2025

What is CVE-2025-2246?

A security flaw in GitLab CE/EE allows unauthorized users to retrieve sensitive manual CI/CD variables through the GraphQL API. This vulnerability affects all versions prior to 18.1.5, versions 18.2 before 18.2.5, and versions 18.3 before 18.3.1. Users could exploit this issue to gain exposure to confidential data, highlighting the need for immediate updates to secure impacted systems.

Affected Version(s)

GitLab 0 < 18.1.5

GitLab 18.2 < 18.2.5

GitLab 18.3 < 18.3.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/524592

issue-trackingpermissions-required

https://hackerone.com/reports/3026559

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 27, 2025
Vulnerability Reserved
Mar 12, 2025

Credit

Thanks [pwnie](https://hackerone.com/pwnie) for reporting this vulnerability through our HackerOne bug bounty program

Gitlab

What is CVE-2025-2246?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit