Platform
gitlab
Component
gitlab
Fixed in
18.8.9
18.9.5
18.10.3
CVE-2026-2104 is a confidentiality vulnerability discovered in GitLab CE/EE. This flaw allows an authenticated user to potentially access confidential issues assigned to other users through the CSV export functionality. The vulnerability impacts versions 18.2 through 18.10.3, and a fix is available in version 18.10.3.
The primary impact of CVE-2026-2104 is unauthorized access to sensitive issue data. An attacker, already authenticated within GitLab, could exploit this vulnerability to export a CSV file containing confidential issues assigned to other users. This could lead to the exposure of sensitive project information, intellectual property, or personally identifiable information (PII) depending on the content of the issues. While requiring authentication, this vulnerability could be leveraged in insider threat scenarios or by users with elevated privileges who abuse their access.
CVE-2026-2104 was publicly disclosed on 2026-04-08. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's nature suggests it could be relatively straightforward to exploit once a PoC is developed.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-2104 is to upgrade GitLab to version 18.10.3 or later. Prior to upgrading, consider a rollback plan in case the upgrade introduces unforeseen compatibility issues. Review and tighten access control lists (ACLs) within GitLab to ensure users only have access to the issues they are authorized to view. Implement stricter permissions for CSV export functionality, limiting which users can export data and what data they can export. Regularly audit GitLab user permissions and access logs to detect any suspicious activity.
Update to GitLab version 18.8.9 or later, 18.9.5 or later, or 18.10.3 or later. This update corrects an authorization bypass vulnerability that allowed authenticated users to access confidential issues assigned to other users through CSV export.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-2104 is a vulnerability in GitLab CE/EE allowing authenticated users to access confidential issues assigned to others via CSV export due to insufficient authorization checks. It has a CVSS score of 4.3 (MEDIUM).
You are affected if you are running GitLab versions 18.2.0 through 18.10.3. Upgrade to 18.10.3 or later to mitigate the risk.
Upgrade GitLab to version 18.10.3 or later. Prior to upgrading, create a rollback plan and review access control lists.
There is currently no evidence of active exploitation of CVE-2026-2104, but a PoC could make exploitation easier.
Refer to the official GitLab security advisory for CVE-2026-2104 at [https://gitlab.com/security/advisories/CVE-2026-2104](https://gitlab.com/security/advisories/CVE-2026-2104)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.