Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

MEDIUMCVE-2026-4524CVSS 6.5

CVE-2026-4524: Authentication Bypass in GitLab

Plateforme

gitlab

Composant

gitlab

Corrigé dans

18.11.3

Voir sur NVD

Sauvegarder

Traduction vers votre langue…

CVE-2026-4524 describes an authentication bypass vulnerability discovered in GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows authenticated users to circumvent authorization checks and gain unauthorized access to confidential issue content within public projects. The vulnerability impacts versions 18.9.1 through 18.11.3 and has been resolved in version 18.11.3.

Impact et Scénarios d'Attaquetraduction en cours…

Successful exploitation of CVE-2026-4524 could lead to unauthorized disclosure of sensitive information contained within GitLab issues. Attackers could potentially access confidential project details, internal discussions, or proprietary data that should only be visible to authorized personnel. While the vulnerability requires authentication, the ease of bypassing authorization checks significantly expands the potential attack surface. This could result in data breaches, reputational damage, and potential legal ramifications for organizations relying on GitLab for project management and collaboration.

Contexte d'Exploitationtraduction en cours…

CVE-2026-4524 was published on May 14, 2026. As of this date, there are no publicly known active campaigns exploiting this vulnerability. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities). The EPSS (Exploit Prediction Scoring System) score is pending evaluation, indicating an unknown probability of exploitation. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu

CISA KEVNO

Exposition InternetÉlevée

CISA SSVC

Exploitationnone

Automatisableno

Impact Techniquepartial

Vecteur CVSS

Que signifient ces métriques?

Attack Vector: Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity: Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required: Faible — tout compte utilisateur valide est suffisant.
User Interaction: Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope: Inchangé — impact limité au composant vulnérable.
Confidentiality: Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity: Aucun — aucun impact sur l'intégrité.
Availability: Aucun — aucun impact sur la disponibilité.

Logiciel Affecté

Composantgitlab

FournisseurGitLab

Version minimale18.9.1

Version maximale18.11.3

Corrigé dans18.11.3

Classification de Faiblesse (CWE)

CWE-288

Chronologie

Réservé2026-03-20
Publiée2026-05-14

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2026-4524 is to immediately upgrade GitLab instances to version 18.11.3 or later. If upgrading is not immediately feasible, consider implementing stricter access controls within GitLab to limit the potential impact of unauthorized access. Review project permissions and ensure that only authorized users have access to sensitive issue content. While a WAF or proxy cannot directly prevent this bypass, it could potentially be configured to flag suspicious access patterns to confidential issue data. After upgrading, confirm the fix by attempting to access confidential issue content in a public project with a standard user account; access should be denied.

Comment corrigertraduction en cours…

Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior para mitigar la vulnerabilidad. Esta actualización corrige una falla de autorización que permitía el acceso no autorizado a contenido confidencial de issues en proyectos públicos.

Questions fréquentestraduction en cours…

What is CVE-2026-4524 — Authentication Bypass in GitLab?

CVE-2026-4524 is a medium severity vulnerability in GitLab CE/EE allowing authenticated users to access confidential issue content in public projects without proper authorization due to flawed authorization checks.

Am I affected by CVE-2026-4524 in GitLab?

You are affected if you are running GitLab CE/EE versions 18.9.1 through 18.11.3. Upgrade to 18.11.3 or later to mitigate the risk.

How do I fix CVE-2026-4524 in GitLab?

The recommended fix is to upgrade your GitLab instance to version 18.11.3 or a later version. Ensure you follow GitLab's upgrade procedures carefully.

Is CVE-2026-4524 being actively exploited?

As of May 14, 2026, there are no publicly known active campaigns exploiting CVE-2026-4524, but continuous monitoring is advised.

Where can I find the official GitLab advisory for CVE-2026-4524?

Refer to the official GitLab security advisory for CVE-2026-4524 on the GitLab website: [https://gitlab.com/security/advisories/](https://gitlab.com/security/advisories/)

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitement Rechercher des CVE

en directfree scan

Essayez maintenant — sans compte

scanZone.subtitle

Scan manuelSlack/email alertsContinuous monitoringWhite-label reports

Glissez-déposez votre fichier de dépendances

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...

Parcourir les fichiers