CVE-2018-19581
Description
GitLab EE, versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure object reference vulnerability that allows a Guest user to set the weight of an issue they create.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE allows Guest users to set the weight of a new issue via a crafted POST request, bypassing intended permissions.
Vulnerability
An insecure object reference vulnerability exists in GitLab EE versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1. A Guest user, who should not be able to set issue metadata such as weight, can set the weight field by adding the issue[weight] parameter to the POST request when creating a new issue. The server does not validate that the user has permission to set weight, allowing the bypass [1].
Exploitation
An attacker needs only a Guest account on a public project. They intercept the POST request when submitting a new issue and add the parameter &issue%5Bweight%5D=9 (or any integer). The issue is created with that weight. No additional authentication or privileges are required [1].
Impact
The attacker can set an arbitrary weight on a new issue, which is a low-severity impact. It violates the intended permission model where Guest users should not be able to set issue metadata beyond confidentiality. This could be used to manipulate issue tracking or misrepresent workload [1].
Mitigation
The vulnerability is fixed in GitLab EE versions 11.3.11, 11.4.8, and 11.5.1. Users should upgrade to these versions or later. No workaround is mentioned in the available references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/GitLab EEdescription
- Range: >=8.3, <11.3.11 || >=11.4, <11.4.8 || >=11.5, <11.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side authorization check on the `weight` parameter during issue creation allows Guest users to set issue weight."
Attack vector
An attacker who is a Guest user on a public GitLab project can set the weight of a newly created issue by intercepting the POST request during issue creation and appending the parameter `issue[weight]=9` (or any integer) to the form data [ref_id=1]. The server accepts this parameter without checking that Guests are not authorized to set issue weight, even though the UI does not expose this option for Guest users [ref_id=1]. No authentication bypass or special network position is required beyond being a logged-in Guest user with access to a public project.
Affected code
The vulnerability exists in the issue creation endpoint of GitLab EE (versions 8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1). The server-side controller that processes the POST request for new issues does not validate whether the user has permission to set the `weight` field [ref_id=1].
What the fix does
No patch diff is included in the bundle. The advisory indicates the fix was applied in GitLab EE versions 11.3.11, 11.4.8, and 11.5.1 [ref_id=1]. The remediation is expected to add server-side authorization checks on the `weight` parameter during issue creation, ensuring that Guest users cannot set issue weight regardless of what parameters they include in the POST body [ref_id=1].
Preconditions
- authAttacker must be a Guest user on a public GitLab project.
- networkAttacker must be able to intercept or modify the HTTP POST request when creating a new issue.
- configThe target GitLab instance must be running an affected version (8.3 up to 11.x before 11.3.11, 11.4 before 11.4.8, or 11.5 before 11.5.1).
Reproduction
1. Log in as a Guest user on a GitLab EE instance running an affected version. 2. Navigate to any public project and click "New Issue". 3. Fill in the title and description, then intercept the POST request before submission. 4. Append `&issue%5Bweight%5D=9` to the POST body. 5. Submit the request. The created issue will have a weight of 9, which a Guest should not be able to set [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/mitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab-ee/issues/7696mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.