Authorization Bypass in GitLab CE/EE Affects Multiple Versions
CVE-2026-2104

4.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-2104?

GitLab has addressed a significant authorization bypass issue in its CE/EE versions which affected all instances from 18.2 up to but not including 18.8.9, 18.9 up to but not including 18.9.5, and 18.10 up to but not including 18.10.3. This vulnerability could potentially allow an authenticated user to export confidential issues assigned to other users via CSV, highlighting a serious concern regarding insufficient authorization checks within the platform.

Affected Version(s)

GitLab 18.2 < 18.8.9

GitLab 18.9 < 18.9.5

GitLab 18.10 < 18.10.3

References

https://hackerone.com/reports/3541476

technical-descriptionexploitpermissions-required

https://gitlab.com/gitlab-org/gitlab/-/work_items/589021

https://about.gitlab.com/releases/2026/04/08/patch-releas...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Feb 6, 2026

Credit

Thanks [ahacker1](https://hackerone.com/ahacker1) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-2104 Data

JSON