Access Control Vulnerability in GitLab CE/EE Products
CVE-2025-2615

4.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 15 November 2025

What is CVE-2025-2615?

GitLab has addressed a significant issue in its CE/EE versions that allowed blocked users to potentially access sensitive information. This vulnerability arose from improper handling of GraphQL subscriptions via WebSocket connections, enabling unauthorized users to gain access to secured data within the affected GitLab environments. Remediation has been implemented in the latest updates, and all users are advised to upgrade to secure their systems.

Affected Version(s)

GitLab 16.7 < 18.3.6

GitLab 18.4 < 18.4.4

GitLab 18.5 < 18.5.2

References

https://about.gitlab.com/releases/2025/11/12/patch-releas...

https://gitlab.com/gitlab-org/gitlab/-/issues/526360

issue-trackingpermissions-required

https://hackerone.com/reports/3049150

technical-descriptionexploitpermissions-required

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2025
Vulnerability Reserved
Mar 21, 2025

Credit

Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program.

JSON