CVE-2020-13351
Description
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, <13.3.9,>=13.4.0, <13.4.5,>=13.5.0, <13.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE 13.0+ fails to enforce permission checks on scheduled pipeline API, allowing unauthorized users to read variable names and values.
Vulnerability
The scheduled pipeline API in GitLab CE/EE versions 13.0.0 through 13.3.8, 13.4.0 through 13.4.4, and 13.5.0 through 13.5.1 lacks sufficient permission checks. According to the intended security model, only owners and maintainers should be able to read variables assigned to a schedule, but the API endpoint GET /api/v4/projects/:id/pipeline_schedules/:schedule_id returns variable names and values to any authenticated user who can view the project, including developers and external users [1].
Exploitation
An attacker needs only a valid GitLab personal access token (or any authentication) and the ability to view the target project (i.e., the project is visible to the attacker). The attacker sends a GET request to the pipeline schedule API endpoint for a project they can access. The response includes the custom variables and their values, which should have been restricted [1]. No special privileges or user interaction beyond authentication is required.
Impact
An attacker can read sensitive variable names and values defined for scheduled pipelines. These variables may contain secrets such as API keys, passwords, or other credentials used in CI/CD jobs. This information disclosure could allow the attacker to hijack scheduled pipelines or gain further access to systems [1].
Mitigation
GitLab released fixes in versions 13.3.9, 13.4.5, and 13.5.2 on 2020-11-17. Users should upgrade to these or later versions. No workaround is available; the vulnerability is addressed by enforcing proper permission checks on the API endpoint [1]. The issue was reported via HackerOne and is not listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3>=13.0, <13.3.9, >=13.4.0, <13.4.5, >=13.5.0, <13.5.2+ 1 more
- (no CPE)range: >=13.0, <13.3.9, >=13.4.0, <13.4.5, >=13.5.0, <13.5.2
- (no CPE)range: >=13.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing permission check in the pipeline schedule API endpoint allows any user who can view a project to read scheduled pipeline variable names and values."
Attack vector
An attacker with any valid GitLab API token can call `GET /api/v4/projects/:id/pipeline_schedules/:schedule_id` against a project visible to them, even if they are only a developer or not a member of the project [ref_id=1]. The API response includes the names and values of custom variables configured on the scheduled pipeline, which the security model intended to restrict to owners and masters only [ref_id=1]. The attacker does not need any special privileges beyond a valid API token and visibility of the target project.
Affected code
The vulnerability exists in the GitLab API endpoint `GET /api/v4/projects/:id/pipeline_schedules/:schedule_id` [ref_id=1]. The endpoint returns pipeline schedule variables and their values without verifying that the requesting user has the required permission level (owner or master) to read those variables [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the issue [ref_id=1] describes the required fix: the API endpoint must enforce the same permission check that the security model specifies — only owners and masters (or equivalent roles) should be able to read variables assigned to a pipeline schedule. Developers should be able to list schedules but not read their variable values [ref_id=1].
Preconditions
- authAttacker must have a valid GitLab API token (personal access token, OAuth token, etc.)
- configTarget project must be visible to the attacker (public or internal project, or attacker is already a member with at least Reporter role)
- inputTarget project must have at least one scheduled pipeline with custom variables defined
- configAffected GitLab version must be >=13.0, <13.3.9, >=13.4.0, <13.4.5, or >=13.5.0, <13.5.2
Reproduction
1. Identify a project visible to you that has a scheduled pipeline with custom variables. 2. Obtain the project ID and pipeline schedule ID (e.g., by listing schedules via `GET /api/v4/projects/:id/pipeline_schedules`). 3. Send a GET request with your API token: `curl --header "Private-Token:
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13351.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/239369mitrex_refsource_MISC
- hackerone.com/reports/962462mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.