MEDIUMCVE-2026-1516CVSS 5.7

CVE-2026-1516: Information Disclosure in GitLab

Platform

gitlab

Component

gitlab

Fixed in

18.8.9

18.9.5

18.10.3

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-1516 is an information disclosure vulnerability affecting GitLab Enterprise Edition (EE). An authenticated user can potentially leak the IP addresses of other users viewing specially crafted Code Quality reports. This vulnerability impacts versions 18.0.0 through 18.10.3 and has been resolved in version 18.10.3.

Impact and Attack Scenarios

The primary impact of CVE-2026-1516 is the potential exposure of user IP addresses. While seemingly minor, this information can be leveraged for reconnaissance purposes. An attacker could use the leaked IP addresses to identify internal network infrastructure, map out user locations, or potentially target specific users with further attacks. This vulnerability doesn't grant direct access to systems or data but provides valuable information for planning more sophisticated attacks. The ability to correlate IP addresses with user accounts within GitLab could also facilitate social engineering attempts.

Exploitation Context

CVE-2026-1516 was publicly disclosed on 2026-04-08. There is currently no indication of active exploitation or a public proof-of-concept. The vulnerability is not listed on the CISA KEV catalog. The relatively low CVSS score suggests a low probability of exploitation, but the potential for reconnaissance makes it important to address.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports2 threat reports

EPSS

0.04% (14% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impact

Affected Software

Componentgitlab

VendorGitLab

Affected rangeFixed in

18.0.0 – 18.8.918.8.9

18.9 – 18.9.518.9.5

18.10 – 18.10.318.10.3

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2026-01-28
Published2026-04-08
Modified2026-04-09
EPSS updated2026-04-16

Mitigation and Workarounds

The primary mitigation for CVE-2026-1516 is to upgrade GitLab EE to version 18.10.3 or later. If an immediate upgrade is not feasible, consider restricting access to Code Quality reports to a limited group of users. Review Code Quality report configurations to ensure no malicious content is being introduced. Monitor GitLab logs for unusual activity related to Code Quality report generation and viewing. After upgrading, confirm the fix by generating and viewing a Code Quality report, verifying that IP addresses are not exposed.

How to fix

Update GitLab to version 18.8.9 or later, 18.9.5 or later, or 18.10.3 or later to mitigate the vulnerability. This update corrects an issue that allowed the leakage of IP addresses of users viewing the Code Quality reports.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-1516 — Information Disclosure in GitLab?

CVE-2026-1516 is a vulnerability in GitLab EE where a crafted Code Quality report can leak IP addresses of users viewing it, impacting user privacy.

Am I affected by CVE-2026-1516 in GitLab?

You are affected if you are using GitLab EE versions 18.0.0 through 18.10.3. Upgrade to 18.10.3 or later to mitigate the risk.

How do I fix CVE-2026-1516 in GitLab?

Upgrade GitLab EE to version 18.10.3 or later. Consider restricting access to Code Quality reports as a temporary workaround.

Is CVE-2026-1516 being actively exploited?

There is currently no indication of active exploitation or a public proof-of-concept for CVE-2026-1516.

Where can I find the official GitLab advisory for CVE-2026-1516?

Refer to the official GitLab security advisory for CVE-2026-1516: [https://gitlab.com/security/advisories/CVE-2026-1516](https://gitlab.com/security/advisories/CVE-2026-1516)