Esta página ainda não foi traduzida para o seu idioma. Exibindo conteúdo em inglês enquanto trabalhamos nisso.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-3160: Information Disclosure in GitLab
Plataforma
gitlab
Componente
gitlab
Corrigido em
18.11.3
CVE-2026-3160 describes an information disclosure vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw allows authenticated users to view Jira issues that fall outside the intended project scope, effectively bypassing access controls. The vulnerability impacts versions 13.7.0 through 18.11.3, and a fix is available in version 18.11.3.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2026-3160 is unauthorized access to Jira issue data. An attacker, already authenticated within GitLab, could leverage this vulnerability to view Jira issues associated with other projects or teams they are not explicitly authorized to access. This could expose sensitive information such as bug reports, feature requests, or internal discussions. The blast radius is limited to the Jira integration within GitLab; however, the potential for data leakage remains significant, particularly in organizations where Jira is used to manage critical project information. This vulnerability highlights the importance of proper access control enforcement within integrated systems.
Contexto de Exploraçãotraduzindo…
CVE-2026-3160 was published on May 14, 2026. Its severity is currently assessed as medium. No public proof-of-concept (POC) code has been released as of this writing. There are no indications of active exploitation campaigns targeting this vulnerability. The vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Inteligência de Ameaças
Status do Exploit
CISA SSVC
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Nenhum — sem autenticação necessária para explorar.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Baixo — acesso parcial ou indireto a alguns dados.
- Integrity
- Nenhum — sem impacto na integridade.
- Availability
- Nenhum — sem impacto na disponibilidade.
Software Afetado
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
Mitigação e Soluções Alternativastraduzindo…
The recommended mitigation for CVE-2026-3160 is to immediately upgrade GitLab to version 18.11.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the Jira integration until the upgrade can be performed. Review existing Jira integration configurations to ensure that access controls are properly enforced at the Jira level. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for unusual Jira access patterns that might indicate exploitation. After upgrading, verify the fix by attempting to access Jira issues outside the expected project scope; access should be denied.
Como corrigirtraduzindo…
Actualice GitLab a la versión 18.9.7 o superior, 18.10.6 o superior, o 18.11.3 o superior para mitigar la vulnerabilidad. Esta actualización corrige un problema de 'Confused Deputy' que permitía a usuarios autenticados acceder a información de Jira fuera del alcance del proyecto configurado.
Perguntas frequentestraduzindo…
What is CVE-2026-3160 — Information Disclosure in GitLab?
CVE-2026-3160 is a medium severity vulnerability in GitLab affecting versions 13.7.0–18.11.3. It allows authenticated users to view Jira issues outside the configured project scope, bypassing access controls.
Am I affected by CVE-2026-3160 in GitLab?
You are affected if you are running GitLab CE or EE versions 13.7.0 through 18.11.3. Versions prior to 18.11.3 are vulnerable to information disclosure.
How do I fix CVE-2026-3160 in GitLab?
Upgrade GitLab to version 18.11.3 or later to remediate the vulnerability. If immediate upgrade is not possible, temporarily disable the Jira integration.
Is CVE-2026-3160 being actively exploited?
As of the current assessment, there are no indications of active exploitation campaigns targeting CVE-2026-3160.
Where can I find the official GitLab advisory for CVE-2026-3160?
Refer to the official GitLab security advisory for CVE-2026-3160 on the GitLab website: [https://gitlab.com/security/advisories/CVE-2026-3160](https://gitlab.com/security/advisories/CVE-2026-3160)
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Experimente agora — sem conta
Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.
Arraste e solte seu arquivo de dependências
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...