CVE-2019-5463
Description
An authorization issue was discovered in the GitLab CE/EE CI badge images endpoint which could result in disclosure of the build status. This vulnerability was addressed in 12.1.2, 12.0.4, and 11.11.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authorization flaw in GitLab's CI badge endpoint leaks build status and coverage to unauthorized users.
Vulnerability
An authorization bypass vulnerability exists in the GitLab CE/EE CI badge images endpoint. The endpoint fails to perform proper access control checks, allowing disclosure of build status and coverage for any branch, even when pipeline visibility is restricted. This affects GitLab versions prior to 12.1.2, 12.0.4, and 11.11.6 [1].
Exploitation
The attacker does not require authentication for public projects, or is an authenticated user (including Guest role on private projects) who does not normally have pipeline access. By crafting a request to the badge URL (e.g., https://example.gitlab.com///badges//pipeline.svg), an attacker can retrieve the SVG image showing the latest build status and coverage for that branch, bypassing the project's restricted pipeline settings [1].
Impact
An attacker can view the build status and coverage percentage of any branch, including the default branch, for projects where they should not have pipeline visibility. This leaks sensitive information about the development process and build health to unauthorized users, potentially revealing if code is passing or failing tests [1].
Mitigation
The vulnerability is fixed in GitLab versions 12.1.2, 12.0.4, and 11.11.6 [1]. Users should upgrade to these or later versions. There is no recorded workaround for unpatched instances. The vulnerability is not listed in the CISA KEV catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/CE/EE CI badge images endpointdescription
- Range: < 11.11.6, >= 12.0 < 12.0.4, >= 12.1 < 12.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in the CI badge images endpoint allows unauthenticated or unauthorized users to retrieve build status and coverage information."
Attack vector
An attacker requests a badge SVG URL for a specific project and branch, e.g. `https://example.gitlab.com/test/cibadges/badges/master/pipeline.svg` or the coverage equivalent. The endpoint returns the build status or coverage percentage without verifying whether the requesting user has permission to view pipelines for that project. This works for public projects with restricted pipeline access (any user, even unauthenticated), internal projects with restricted pipeline access (any authenticated user), and private projects (any Guest user of that project) [ref_id=1].
Affected code
The CI badge images endpoint at routes such as `/:namespace/:project/badges/:branch/pipeline.svg` and `/:namespace/:project/badges/:branch/coverage.svg` is affected [ref_id=1]. The advisory does not specify the exact source file or function name.
What the fix does
The advisory states the fix is to "perform proper authorization check handling a badge request" [ref_id=1]. No patch diff is included in the bundle, but the remediation guidance is clear: the badge images endpoint must enforce the same pipeline visibility restrictions that apply to the pipelines UI. The vulnerability was addressed in versions 12.1.2, 12.0.4, and 11.11.6.
Preconditions
- networkAttacker must be able to reach the GitLab instance over HTTP/HTTPS.
- configThe target project must have CI configured and have pushed at least one build.
- authFor public projects: no authentication required. For internal projects: any authenticated user. For private projects: Guest-level access to the project.
Reproduction
1. Create a public repository, configure CI, and push code (e.g. namespace `test/cibadges`). 2. Restrict repository visibility to "Project Members Only" and disable "Public builds" in CI settings. 3. As a non-authenticated user, visit `https://example.gitlab.com/test/cibadges/badges/master/pipeline.svg` — the SVG showing the build status of the `master` branch is returned. The same works for the coverage badge at `https://example.gitlab.com/test/cibadges/badges/master/coverage.svg` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- gitlab.com/gitlab-org/gitlab-ce/issues/56407mitrex_refsource_CONFIRM
- hackerone.com/reports/477222mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.