CVE-2019-5465
Description
An information disclosure issue was discovered in GitLab CE/EE 8.14 and later, by using the move issue feature which could result in disclosure of the newly created issue ID.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE 8.14+ discloses the new issue ID when an issue is moved to a private project, leaking internal resource identifiers to any authenticated user.
Vulnerability
An information disclosure vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) starting from version 8.14. When an issue is moved from a public or internal project to a private project using the move issue feature, the API response of the original issue endpoint (/issues/.json) contains a moved_to_id field that reveals the internal ID of the newly created issue in the private project [1][2]. This affects all versions from 8.14 up to the fix in 12.1.2, 12.0.4, and 11.11.6 [2].
Exploitation
An attacker must be an authenticated GitLab user (no special privileges required) and have access to the original public or internal project's issue. The attacker navigates to the JSON representation of the original issue (e.g., https://gitlab.com///issues/.json). The response includes the moved_to_id parameter, which contains the internal ID of the issue that was created when the original issue was moved to a private project [1]. No additional user interaction or other conditions are required; the move action itself triggers the data leak.
Impact
An authenticated attacker can determine that an issue has been moved (even though the UI shows it as closed) and learn the internal ID of the issue in the destination private project [1]. This leaks information about the existence and internal tracking number of potentially sensitive work occurring in private projects, which may help attackers correlate activities or target resources in private projects. The impact is limited to information disclosure of internal issue IDs; however, this can be a stepping stone for further reconnaissance.
Mitigation
GitLab addressed this vulnerability in versions 12.1.2, 12.0.4, and 11.11.6, released on 2019-07-29 [2]. Users should upgrade to one of these patched versions or later. No workaround is available; enabling the fix requires deploying the updated GitLab version. Instances running versions 8.14 through 12.1.1, 12.0.3, and 11.11.5 or earlier are vulnerable. This issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=8.14
- Range: Affects GitLab CE/EE 8.14 and later
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The JSON API response for a moved issue includes the `moved_to_id` field without checking whether the authenticated user has access to the destination project."
Attack vector
An authenticated user navigates to the JSON representation of an issue that was moved from a public project to a private project (e.g., `https://gitlab.com/<GroupName>/<ProjectName>/issues/<IssueID>.json`). The JSON response contains a `moved_to_id` field that exposes the internal ID of the new issue in the private project, even though the user has no access to that private project [ref_id=1].
Affected code
The issue is in the JSON API endpoint for viewing an issue (`/issues/<IssueID>.json`). When an issue has been moved to a private project, the response includes a `moved_to_id` parameter that reveals the internal ID of the new issue in the private project [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] recommends that the `moved_to_id` parameter should not be visible publicly when the target project is private. The expected fix would remove or restrict the `moved_to_id` field from the JSON response for users who are not members of the destination project.
Preconditions
- authThe attacker must be an authenticated GitLab user
- inputAn issue must have been moved from a public project to a private project
- inputThe attacker must know the original issue ID in the public project
Reproduction
1. As a project member in a public project, move any issue to a private project. This closes the original issue. 2. Now any authenticated user can navigate to the original issue's JSON endpoint: `https://gitlab.com/<GroupName>/<ProjectName>/issues/<IssueID>.json` 3. In the response, the `moved_to_id` parameter reveals the new issue ID created in the private project [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/mitrex_refsource_MISC
- gitlab.com/gitlab-org/gitlab-ce/issues/62070mitrex_refsource_MISC
- hackerone.com/reports/584534mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.