CVE-2020-13352
Description
Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Private group information leaks in GitLab when a project is moved from a private to a public group, affecting versions 10.2 through 13.5.1.
Vulnerability
GitLab CE/EE versions 10.2 and above through 13.3.8, 13.4.0-13.4.4, and 13.5.0-13.5.1 are vulnerable to information disclosure. When a project is transferred from a private group to a public group, private group information such as epic titles and milestone paths remains visible to non-members in issues and merge requests [1].
Exploitation
An attacker with no special privileges can view the public project's issues and hover over system notes to see milestone paths, or view epic titles that were associated with the project before its transfer. No authentication is required beyond normal public access [1].
Impact
An attacker can learn private group metadata (epic titles, milestone paths) that should have been hidden after the project transfer, potentially revealing sensitive information about the original private group [1].
Mitigation
The issue is fixed in GitLab versions 13.3.9, 13.4.5, and 13.5.2. Users should upgrade to these or later versions [1]. No workaround is provided in the references.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3>=10.2, <13.3.9, >=13.4, <13.4.5, >=13.5, <13.5.2+ 1 more
- (no CPE)range: >=10.2, <13.3.9, >=13.4, <13.4.5, >=13.5, <13.5.2
- (no CPE)range: >=10.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control check when displaying group-level metadata (epics, milestones) on issues after a project is transferred from a private group to a public group."
Attack vector
An attacker creates a project in a private group, associates group-level epics, milestones, and labels with an issue, then transfers the project to a public group (with Gold membership) and makes the project public [ref_id=1]. Any non-member visiting the public project's issue can see the private group's epic title (including live updates if the old group changes the title) and, by hovering over system notes, the private group's milestone path [ref_id=1]. No authentication or special privileges are needed on the public side.
Affected code
The advisory does not specify exact files or functions. The vulnerability involves the issue display logic that renders associated epics, milestone paths in system notes, and labels — these components fail to re-verify access to the originating private group after a project transfer [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the issue [ref_id=1] describes the expected correct behavior: epic and old group path should not be visible to non-members. The fix would need to enforce visibility checks on group-level metadata (epics, milestones) when rendering issue details in a transferred project, ensuring that references to the original private group are redacted or access-controlled for users who are not members of that group.
Preconditions
- authAttacker must have Owner or Maintainer role on the source private group to transfer the project.
- configDestination group must have a Gold/Ultimate membership tier (required for epics feature).
- inputAttacker must create an issue in the private project and associate it with a group epic, group milestone, and/or group label before transferring.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-13352.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/38281mitrex_refsource_MISC
- hackerone.com/reports/748315mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.