Plattform
gitlab
Komponente
gitlab
Behoben in
18.8.9
18.9.5
18.10.3
CVE-2026-2104 is a confidentiality vulnerability discovered in GitLab CE/EE. This flaw allows an authenticated user to potentially access confidential issues assigned to other users through the CSV export functionality. The vulnerability impacts versions 18.2 through 18.10.3, and a fix is available in version 18.10.3.
The primary impact of CVE-2026-2104 is unauthorized access to sensitive issue data within GitLab. An attacker, already authenticated within the GitLab instance, could leverage the CSV export feature to extract confidential issue details that they should not have access to. This could expose project plans, security vulnerabilities, or other sensitive information. The blast radius is limited to users with access to the GitLab instance, but the potential for data leakage is significant, particularly in organizations with strict access control policies. This type of data exfiltration could lead to reputational damage, legal repercussions, and compromise of ongoing projects.
CVE-2026-2104 was published on 2026-04-08. Its CVSS score is 4.3 (MEDIUM). No public exploits or active campaigns have been reported at the time of writing. The vulnerability is not currently listed on KEV or EPSS, suggesting a low probability of immediate exploitation. Refer to the GitLab security advisory for more details.
Organizations heavily reliant on GitLab for issue tracking and project management are at risk. Teams handling sensitive data within GitLab, such as legal, finance, or HR, are particularly vulnerable. Users with administrative privileges or those with broad access to GitLab projects should be prioritized for remediation.
• gitlab: Examine GitLab access logs for unusual CSV export activity, particularly from users who do not typically export data.
journalctl -u gitlab-rails -f | grep 'CSV export'• generic web: Monitor GitLab instance's web server access logs for requests to CSV export endpoints with unusual parameters or user agents.
curl -I <gitlab_url>/<issue_id>.csv• generic web: Check GitLab instance's error logs for any errors related to authorization failures during CSV export attempts.
disclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-2104 is to immediately upgrade GitLab to version 18.10.3 or later. Prior to upgrading, review the GitLab upgrade documentation for potential breaking changes and plan a rollback strategy if necessary. As a temporary workaround, restrict access to the CSV export functionality for users with limited privileges. Consider implementing stricter authorization checks within your GitLab instance to limit access to sensitive data. After upgrading, confirm the fix by attempting to export confidential issues as a user with limited privileges; the export should fail with an authorization error.
Actualice a GitLab versión 18.8.9 o superior, 18.9.5 o superior, o 18.10.3 o superior. Esta actualización corrige una vulnerabilidad de bypass de autorización que permitía a usuarios autenticados acceder a issues confidenciales asignadas a otros usuarios a través de la exportación en formato CSV.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2104 is a vulnerability in GitLab CE/EE allowing authenticated users to access confidential issues assigned to others via CSV export due to insufficient authorization checks. It has a CVSS score of 4.3 (MEDIUM).
You are affected if you are running GitLab versions 18.2.0 through 18.10.3. Upgrade to 18.10.3 or later to mitigate the risk.
Upgrade GitLab to version 18.10.3 or later. Prior to upgrading, create a rollback plan and review access control lists.
There is currently no evidence of active exploitation of CVE-2026-2104, but a PoC could make exploitation easier.
Refer to the official GitLab security advisory for CVE-2026-2104 at [https://gitlab.com/security/advisories/CVE-2026-2104](https://gitlab.com/security/advisories/CVE-2026-2104)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.