CVE-2019-5466
Description
An IDOR was discovered in GitLab CE/EE 11.5 and later that allowed new merge requests endpoint to disclose label names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An IDOR in GitLab CE/EE 11.5 and later allows unauthenticated enumeration of label names from private projects via the new merge request endpoint.
Vulnerability
An Insecure Direct Object Reference (IDOR) vulnerability exists in the merge request creation endpoint of GitLab CE/EE versions 11.5 and later [1]. By appending the parameter merge_request[label_ids][]= to the new merge request URL, an attacker can retrieve the name of any label, regardless of the target project's visibility settings [1]. The label IDs are sequentially assigned, allowing enumeration of all labels across the GitLab instance [1].
Exploitation
An attacker only needs to be a member of any project that permits merge request creation [1]. The attacker navigates to the new merge request page for that project and appends the merge_request[label_ids][]= parameter to the URL [1]. The server responds by populating the label name in the UI dropdown, enabling the attacker to read label names by iterating through sequential IDs [1]. No other authentication or privilege is required beyond standard project membership [1].
Impact
Successful exploitation allows the attacker to disclose label names belonging to private or restricted projects [1]. This compromises the confidentiality of project metadata, specifically label names, which can reveal internal project categories, workflows, or sensitive topics [1]. No write, modification, or execution privileges are gained [1].
Mitigation
The vulnerability was fixed in GitLab 12.1.2, released on 2019-07-29 [2]. Users should upgrade to version 12.1.2 or later [2]. No workaround was provided for versions prior to the fix, as the vulnerability is inherent to the endpoint's handling of label ID parameters [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- GitLab/GitLab CE/EEdescription
- Range: >=11.5, <12.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control check on the merge request creation endpoint allows an attacker to enumerate label names by label ID, regardless of project visibility."
Attack vector
An attacker who is a member of any project with merge request creation privileges can enumerate label names from any project (including private ones) by appending `merge_request[label_ids][]=<LabelID>` parameters to the new merge request URL [ref_id=1]. Because label IDs are sequential integers, the attacker can iterate through IDs to discover all label names across the GitLab instance [ref_id=1]. The endpoint populates the label name in the UI dropdown without verifying that the attacker has access to the project the label belongs to [ref_id=1].
Affected code
The advisory does not specify exact file paths or functions. The vulnerable endpoint is the new merge request page at `/merge_requests/new` which accepts the `merge_request[label_ids][]` parameter [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the fix would require adding an authorization check on the `label_ids` parameter in the merge request creation endpoint to ensure the requesting user has visibility into the project that owns each supplied label ID [ref_id=1]. Without such a check, any authenticated user can enumerate labels across all projects regardless of project visibility settings [ref_id=1].
Preconditions
- authAttacker must be an authenticated GitLab user who is a member of at least one project with merge request creation capabilities.
- inputAttacker must supply sequential label IDs via the `merge_request[label_ids][]` parameter.
Reproduction
1. As a project member with merge request creation privileges, navigate to the new merge request URL (e.g. `https://gitlab.com/<UserName>/<ProjectName>/merge_requests/new?utf8=%E2%9C%93&merge_request%5Bsource_project_id%5D=<ID>&merge_request%5Bsource_branch%5D=master1&merge_request%5Btarget_project_id%5D=<ID>&merge_request%5Btarget_branch%5D=master`). 2. Append `&merge_request[label_ids][]=<LabelID>` to the URL. 3. The label name will be populated in the Labels dropdown in the UI. 4. Iterate through sequential label IDs to enumerate all label names irrespective of project visibility settings [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- about.gitlab.com/releases/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/mitrex_refsource_MISC
- gitlab.com/gitlab-org/gitlab-ce/issues/59809mitrex_refsource_MISC
- hackerone.com/reports/507113mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.