CVE-2018-19584
Description
GitLab EE, versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1, is vulnerable to an insecure direct object reference vulnerability that allows authenticated, but unauthorized, users to view members and milestone details of private groups.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An IDOR vulnerability in GitLab EE board endpoints allows authenticated users to view members and milestone details of private groups.
Vulnerability
GitLab EE versions 11.x before 11.3.11, 11.4 before 11.4.8, and 11.5 before 11.5.1 contain an insecure direct object reference (IDOR) vulnerability in the board endpoints [1]. The /boards/{board_id}/users.json and /boards/{board_id}/milestones.json endpoints do not enforce authorization checks, allowing any authenticated user to access data belonging to private groups if they can guess or enumerate the board ID [1].
Exploitation
An attacker must be authenticated to GitLab (any account is sufficient) and does not need any special privileges [1]. The exploitation sequence is: (1) authenticate to GitLab; (2) enumerate board IDs (e.g., iterating through numeric IDs); (3) access the URLs https://gitlab.com/-/boards/{board_id}/users.json or https://gitlab.com/-/boards/{board_id}/milestones.json; (4) the server returns member names and milestone details even when the board belongs to a private group [1].
Impact
Successful exploitation leads to disclosure of private group member lists and milestone information [1]. The attacker gains unauthorized read access to sensitive metadata (members, milestones) of any private group that has an associated board, bypassing the intended access restrictions [1].
Mitigation
GitLab released fixes in versions 11.3.11, 11.4.8, and 11.5.1 [1]. Users should upgrade to these or later versions. No workaround is documented; upgrading is the recommended solution [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/GitLab EEdescription
- Range: >=11 <11.3.11, >=11.4 <11.4.8, >=11.5 <11.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in the board endpoint allows any authenticated user to view members and milestones of private groups."
Attack vector
An authenticated attacker can enumerate board IDs (e.g., starting from 1) and access `/-/boards/{board_id}/users.json` and `/-/boards/{board_id}/milestones.json` without any authorization check [ref_id=1]. The board endpoint does not verify whether the user belongs to or has permission to view the private group that owns the board. By simply incrementing the board ID, the attacker can discover and disclose member lists and milestone details of any private group that has an associated board [ref_id=1].
Affected code
The board endpoint at `/-/boards/{board_id}/users.json` and `/-/boards/{board_id}/milestones.json` lacks authorization checks. The issue is in the board controller's handling of these JSON endpoints, which fail to verify that the requesting user has permission to view the members and milestones of the group that owns the board [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the fix would require adding authorization checks to the board endpoint's `users.json` and `milestones.json` actions. The remediation must ensure that before returning member or milestone data, the controller verifies the authenticated user has at least read access to the group that owns the board. No patch is published in the provided bundle.
Preconditions
- authAttacker must be authenticated to GitLab
- inputTarget group must have a board created (board_id is discoverable by enumeration)
Reproduction
1. Log in to GitLab as any authenticated user. 2. Visit `https://gitlab.com/-/boards/{board_id}/users.json` and `https://gitlab.com/-/boards/{board_id}/milestones.json`, replacing `{board_id}` with the ID of a board belonging to a private group. 3. Observe that the member list and milestone details of the private group are returned without authorization [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/mitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab-ce/issues/52522mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.