Improper Access Control in GitLab Products By GitLab
CVE-2026-1724

6.8MEDIUM

Key Information:

Vendor

Gitlab
Status
Gitlab
Vendor
CVE Published:
25 March 2026

What is CVE-2026-1724?

GitLab has addressed a security vulnerability in its EE product that allowed unauthorized users to gain access to API tokens for self-hosted AI models. This issue arose from improper access control mechanisms in place, affecting multiple versions of GitLab EE. Users running versions prior to 18.8.7, 18.9.3, and 18.10.1 were particularly susceptible to this vulnerability. Organizations using affected versions are strongly advised to update to the latest release to protect sensitive token information and secure their deployment against potential exploitation. The vulnerability highlights the importance of robust access control measures in safeguarding critical components of the software.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

GitLab 18.5 < 18.8.7

GitLab 18.9 < 18.9.3

GitLab 18.10 < 18.10.1

References

https://hackerone.com/reports/3531412
technical-descriptionexploitpermissions-required
https://gitlab.com/gitlab-org/gitlab/-/work_items/588334
https://about.gitlab.com/releases/2026/03/25/patch-releas...

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [maksyche](https://hackerone.com/maksyche) for reporting this vulnerability through our HackerOne bug bounty program
JSON
.