Access Control Flaw in GitLab Affecting Multiple Versions
CVE-2026-5377

4.3MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-5377?

An issue has been identified in GitLab CE/EE versions prior to 18.11.1 that could potentially allow authenticated users to view titles of private or confidential issues within public projects. This vulnerability stems from improper access controls during the issue description rendering process, making it critical for users to update to the latest version to mitigate potential data exposure risks. GitLab has since released a patch to address this issue, emphasizing the importance of maintaining up-to-date software.

Affected Version(s)

GitLab 18.11 < 18.11.1

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/595553

https://hackerone.com/reports/3640688

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/04/22/patch-releas...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

Thanks [yvvdwf](https://hackerone.com/yvvdwf) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-5377 Data

JSON