CVE-2020-26406
Description
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated users and guest members could read SAST CI configuration details of public and private GitLab projects via GraphQL.
Vulnerability
GitLab EE versions 13.3 through 13.3.9, 13.4 through 13.4.5, and 13.5 through 13.5.2 expose SAST (Static Application Security Testing) CI configuration information to unauthorized users [1]. Specifically, the GraphQL API endpoint sastCiConfiguration returns CI configuration data for a project even when the requester is a non-member of a public project with repository access restricted, or a guest member on a private project [1]. The information includes custom SAST configuration settings that can be modified via the UI at /-/security/configuration.
Exploitation
An attacker needs only to know the full path (namespace/project) of a target GitLab project and possess a valid session (CSRF token and cookies) or API token [1]. No special project membership or repository access is required for public projects with restricted repository visibility; for private projects, guest membership is sufficient. The attacker sends a crafted GraphQL query to POST /api/graphql with the operation sastCiConfiguration and obtains the CI configuration details of the target project [1].
Impact
A successful attack allows the disclosure of SAST CI configuration information that should be restricted. This includes custom configuration values set by project maintainers, such as environment variables, scanner settings, and analysis paths [1]. The attacker gains no write access or execution privileges directly, but the information can leak sensitive configuration details that may aid further attacks on the CI pipeline.
Mitigation
GitLab patched this vulnerability in versions 13.3.9, 13.4.5, and 13.5.2 [1]. Users should upgrade to a fixed version. No workaround is documented; an explicit workaround would require disabling the GitLab GraphQL endpoint or applying restrictive access controls, which is not feasible in normal deployments.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=13.3, <13.3.9, >=13.4, <13.4.5, >=13.5, <13.5.2
- Range: >=13.3, <13.3.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in the GraphQL resolver for `sastCiConfiguration` allows unprivileged users to query SAST configuration data."
Attack vector
An attacker sends a crafted GraphQL query to `/api/graphql` requesting the `sastCiConfiguration` for a target project. The query requires only a valid CSRF token and session cookie — no project membership is needed for public projects with restricted repository access, and guest membership suffices for private projects [ref_id=1]. The attacker changes the `fullPath` variable to the target project's namespace/path and receives the SAST configuration (including any overridden values) in the response [ref_id=1].
Affected code
The vulnerability exists in the GraphQL endpoint `/api/graphql` where the `project(fullPath:)` resolver exposes the `sastCiConfiguration` field. The affected code path is the `SastCiConfiguration` GraphQL type and its associated resolver, which failed to enforce proper authorization checks before returning SAST configuration data [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] identifies that the GraphQL resolver for `sastCiConfiguration` lacked proper permission checks. The expected remediation would add authorization logic to the resolver so that only users with Developer or higher roles (or equivalent project access) can query the SAST configuration, mirroring the access controls enforced on the UI configuration page at `/-/security/configuration`.
Preconditions
- authAttacker must have a valid session (cookies and CSRF token) on the GitLab instance
- authFor public projects: attacker does not need any project membership
- authFor private projects: attacker needs at most Guest role on the target project
- configTarget project must have SAST configuration overridden via the UI (changed from defaults)
Reproduction
1. As a Maintainer, go to a public project (with repository access restricted to team members) at `https://gitlab.com/
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26406.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/244921mitrex_refsource_MISC
- hackerone.com/reports/965602mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.