Information Disclosure Vulnerability in GitLab CE/EE
CVE-2025-3950

3.5LOW

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 9 January 2026

What is CVE-2025-3950?

An information disclosure issue has been identified in GitLab CE/EE, allowing users to potentially leak sensitive information. This occurs when specially crafted images are referenced in a manner that bypasses the asset proxy protection, enabling unauthorized access to certain data. The vulnerability affects multiple versions of GitLab CE/EE, and remediation has been implemented in subsequent releases.

Affected Version(s)

GitLab 10.3 < 18.5.5

GitLab 18.6 < 18.6.3

GitLab 18.7 < 18.7.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/537697

issue-trackingpermissions-required

https://hackerone.com/reports/3106477

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/01/07/patch-releas...

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2026
Vulnerability Reserved
Apr 25, 2025

Credit

Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program

JSON