Scan free
MEDIUMCVE-2026-2104CVSS 4.3

CVE-2026-2104: Confidentiality Issue in GitLab

Platform

gitlab

Component

gitlab

Fixed in

18.8.9

18.9.5

18.10.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-2104 is a confidentiality vulnerability discovered in GitLab CE/EE. This flaw allows an authenticated user to potentially access confidential issues assigned to other users through the CSV export functionality. The vulnerability impacts versions 18.2 through 18.10.3, and a fix is available in version 18.10.3.

Impact and Attack Scenarios

The primary impact of CVE-2026-2104 is unauthorized access to sensitive issue data. An attacker, already authenticated within GitLab, could exploit this vulnerability to export a CSV file containing confidential issues assigned to other users. This could lead to the exposure of sensitive project information, intellectual property, or personally identifiable information (PII) depending on the content of the issues. While requiring authentication, this vulnerability could be leveraged in insider threat scenarios or by users with elevated privileges who abuse their access.

Exploitation Context

CVE-2026-2104 was publicly disclosed on 2026-04-08. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a PoC is developed.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports2 threat reports

EPSS

0.01% (3% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N4.3MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentgitlab
VendorGitLab
Affected rangeFixed in
18.2 – 18.8.918.8.9
18.9 – 18.9.518.9.5
18.10 – 18.10.318.10.3

Weakness Classification (CWE)

CWE-639

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-2104 is to upgrade GitLab to version 18.10.3 or later. Prior to upgrading, consider a rollback plan in case the upgrade introduces unforeseen compatibility issues. Review and tighten access control lists (ACLs) within GitLab to ensure users only have access to the issues they are authorized to view. Implement stricter permissions for CSV export functionality, limiting which users can export data and what data they can export. Regularly audit GitLab user permissions and access logs to detect any suspicious activity.

How to fix

Update to GitLab version 18.8.9 or later, 18.9.5 or later, or 18.10.3 or later. This update corrects an authorization bypass vulnerability that allowed authenticated users to access confidential issues assigned to other users through CSV export.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-2104 — Confidentiality Issue in GitLab?

CVE-2026-2104 is a vulnerability in GitLab CE/EE allowing authenticated users to access confidential issues assigned to others via CSV export due to insufficient authorization checks. It has a CVSS score of 4.3 (MEDIUM).

Am I affected by CVE-2026-2104 in GitLab?

You are affected if you are running GitLab versions 18.2.0 through 18.10.3. Upgrade to 18.10.3 or later to mitigate the risk.

How do I fix CVE-2026-2104 in GitLab?

Upgrade GitLab to version 18.10.3 or later. Prior to upgrading, create a rollback plan and review access control lists.

Is CVE-2026-2104 being actively exploited?

There is currently no evidence of active exploitation of CVE-2026-2104, but a PoC could make exploitation easier.

Where can I find the official GitLab advisory for CVE-2026-2104?

Refer to the official GitLab security advisory for CVE-2026-2104 at [https://gitlab.com/security/advisories/CVE-2026-2104](https://gitlab.com/security/advisories/CVE-2026-2104)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs