CVE-2018-19582
Description
GitLab EE, versions 11.4 before 11.4.8 and 11.5 before 11.5.1, is affected by an insecure direct object reference vulnerability that permits an unauthorized user to publish the draft merge request comments of another user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE 11.4–11.5.0 has an IDOR in `/drafts/publish` that lets any authenticated user forcibly publish another user's draft merge request comments.
Vulnerability
GitLab EE versions 11.4 before 11.4.8 and 11.5 before 11.5.1 are affected by an insecure direct object reference (IDOR) vulnerability in the /drafts/publish endpoint. The endpoint is used to publish draft merge request comments created via the “Start a review” feature. The application fails to verify that the draft ID supplied in the request belongs to the authenticated user, allowing the publishing of arbitrary drafts.
Exploitation
An attacker must be an authenticated GitLab user with network access to the instance. No special privileges are required. The steps are: (1) Create a merge request and save a review as draft to obtain any valid draft ID. (2) Intercept the publish request for one's own draft. (3) Replace the id parameter with the target user's draft ID. The endpoint then publishes that draft comment even though the attacker lacks access to the original merge request or discussion.
Impact
A successful attack causes the victim's draft comments – which may include confidential information – to be published on the merge request discussion thread. This leads to an unintended disclosure of draft content (confidentiality breach) and a violation of the intended review workflow. The attacker gains no write access beyond publishing the draft itself; the content is published under the victim's authorship.
Mitigation
The vulnerability is fixed in GitLab EE versions 11.4.8 and 11.5.1 [1]. All instances running earlier 11.4.x or 11.5.0 must upgrade immediately. No workaround is available for affected deployments. The issue is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/GitLab EEdescription
- Range: 11.4.0 - 11.4.7, 11.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check on the draft ID parameter in the `/drafts/publish` endpoint allows an attacker to publish another user's draft merge request comments."
Attack vector
An attacker can publish another user's draft merge request comments by intercepting the publish request and replacing the draft ID parameter with a victim's draft ID. The attacker first creates a draft review on their own merge request, then intercepts the "Add comment now" request and substitutes their own draft ID with the victim's draft ID obtained from a previous response [ref_id=1]. The endpoint does not verify ownership of the draft before publishing it, allowing the attacker to publish comments even on confidential merge requests they do not have access to [ref_id=1].
Affected code
The vulnerability exists in the `/drafts/publish` endpoint of GitLab EE. The issue is that the `ID` parameter in the publish request is not properly validated to ensure the draft belongs to the requesting user [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the issue was addressed in GitLab EE versions 11.4.8 and 11.5.1 [ref_id=1]. The fix would require the `/drafts/publish` endpoint to verify that the draft ID provided in the request belongs to the authenticated user before publishing it, preventing unauthorized users from publishing drafts they do not own [ref_id=1].
Preconditions
- authAttacker must have a valid GitLab EE account to create a draft review and intercept requests
- inputAttacker must know or obtain the victim's draft ID (e.g., from a network response)
- inputThe target draft must be in a 'draft' state (not yet published)
Reproduction
1. Create two accounts (A and B) and create separate merge requests in both. 2. Make a draft review in both merge requests by clicking "Start a review". Note down B's draft ID from the response. 3. Through account A, publish a comment by clicking "Add comment now". 4. Intercept the request and change the ID parameter with B's draft ID. B's draft will be successfully published under account A [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/mitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab-ee/issues/8180mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.