CVE-2018-19577
Description
Gitlab CE/EE, versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, are vulnerable to an incorrect access control vulnerability that displays to an unauthorized user the title and namespace of a confidential issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE before 11.3.11, 11.4.8, and 11.5.1 leaks confidential issue title and namespace via commit message cross-references.
Vulnerability
GitLab CE/EE versions 8.6 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1 are vulnerable to an access control flaw where the title and namespace of a confidential issue are exposed to unauthorized users via commit message cross-references [1]. When a commit message contains a reference to an issue (e.g., #1), GitLab renders it as a link; hovering over the link reveals the issue title and project namespace in a tooltip, even if the user is not authorized to view that issue or project.
Exploitation
An attacker must have at least Developer access to a project where they can create commits. They craft a commit message containing a cross-reference to a confidential issue in a private project they are authorized to view. When any user views the commit page (e.g., https://gitlab.com/:project/commits/:branch), hovering over the cross-reference link displays the confidential issue title and the private project's namespace [1]. No user interaction beyond hovering is required.
Impact
Unauthorized users can discover the title of confidential issues and the namespace (project path) of private projects. This leaks potentially sensitive information and violates the confidentiality of issues marked as confidential and projects with private visibility.
Mitigation
Upgrade to GitLab versions 11.3.11, 11.4.8, or 11.5.1 or later [1]. No workaround is available for affected versions. The fix was implemented in merge request referenced in the issue.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/CE/EEdescription
- Range: >= 8.6, < 11.3.11, >= 11.4, < 11.4.8, >= 11.5, < 11.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control check when rendering issue cross-references in commit messages allows unauthorized users to see the title and namespace of confidential issues."
Attack vector
An attacker who is authorized to view a private project creates a commit whose message includes a cross-reference to a confidential issue in that project (e.g., `newpathhereds/testproject#1`). Any user who visits the project's commits page (e.g., `https://gitlab.com/:project_namespace/commits/master`) can then hover over the cross-reference link and see a tooltip revealing the confidential issue's title and the private project's namespace [ref_id=1]. No special privileges beyond commit access to the referencing project are required.
Affected code
The vulnerability exists in the commit message rendering logic of GitLab CE/EE. When a commit message contains a cross-reference to an issue (e.g., `newpathhereds/testproject#1`), the system fetches and displays the issue's title and namespace in a tooltip on the commits page, without first verifying that the viewing user has access to that issue or its parent project.
What the fix does
The advisory does not include a published patch diff, but the referenced issue [#52444](ref_id=1) links to a "Dev MR" (merge request) that would address the bug. The fix is expected to add an access control check before resolving issue cross-references in commit messages, ensuring that the title and namespace of a confidential issue are only displayed to users who have permission to view that issue. Without such a check, the tooltip leaks sensitive information to unauthorized viewers.
Preconditions
- authThe attacker must have commit access to a project (public or private) that can reference a confidential issue in a private namespace.
- networkThe victim must visit the commits page of the project containing the crafted commit message.
- inputThe commit message must contain a cross-reference link to a confidential issue (e.g., `namespace/project#issue_id`).
Reproduction
1. As an authenticated user with commit access to a project, create a commit whose message includes a cross-reference to a confidential issue in a private project you can view (e.g., `newpathhereds/testproject#1`). 2. Push the commit. 3. Visit the project's commits page (e.g., `https://gitlab.com/:project_namespace/commits/master`). 4. Hover the cursor over the cross-reference link (e.g., `newpathhereds/testproject#1`). The tooltip will display the confidential issue's title (e.g., `create some file please`) and the private namespace [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.securityfocus.com/bid/109179mitrevdb-entryx_refsource_BID
- about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/mitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab-ce/issues/52444mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.