CVE-2020-26408
Description
A limited information disclosure vulnerability exists in Gitlab CE/EE from >= 12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2 that allows an attacker to view limited information in user's private profile
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE discloses starred projects of private profiles via an API endpoint in versions 12.2 to 13.4.7, 13.5 to 13.5.5, and 13.6 to 13.6.2.
Vulnerability
A limited information disclosure vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 12.2 through 13.4.7, 13.5.0 through 13.5.5, and 13.6.0 through 13.6.2. The JSON API endpoint at /users/:username/starred.json exposes a user's starred projects even when the user has set their profile to private by enabling the "Don't display activity-related personal information on your profiles" setting [1].
Exploitation
An unauthenticated attacker can access the /users/:username/starred.json endpoint for any GitLab user. The attacker does not need to be logged in or have any special privileges. By simply sending a GET request to this endpoint, the attacker retrieves the list of projects starred by the target user, which should be hidden under a private profile [1].
Impact
Successful exploitation allows the attacker to view the starred projects of a user with a private profile. This information disclosure contradicts the documented privacy expectations, potentially leaking sensitive project associations that the user intended to keep hidden [1].
Mitigation
The vulnerability is fixed in GitLab versions 13.4.7, 13.5.5, and 13.6.2. Users should upgrade to one of these patched versions or later. No workaround is available for unpatched instances [description].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3>=12.2, <13.4.7; >=13.5, <13.5.5; >=13.6, <13.6.2+ 1 more
- (no CPE)range: >=12.2, <13.4.7; >=13.5, <13.5.5; >=13.6, <13.6.2
- (no CPE)range: >= 12.2 to <13.4.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control check in the starred projects API endpoint fails to enforce the user's profile privacy setting."
Attack vector
An attacker can view the starred projects of any GitLab user, even when that user has configured their profile as private. The attacker simply requests `https://gitlab.com/users/:username/starred.json` while unauthenticated (e.g., from a private browser window). The endpoint returns the list of starred projects, leaking information that the user intended to hide via the privacy setting [ref_id=1]. No authentication or special privileges are required.
Affected code
The issue is in the `/users/:username/starred.json` API endpoint, which returns a user's starred projects without checking whether the user's profile is set to private [ref_id=1]. The endpoint does not enforce the "Don't display activity-related personal information on your profiles" setting.
What the fix does
The advisory does not include a patch diff, but the fix required is for the `starred.json` endpoint to respect the user's profile privacy setting. When a user has checked "Don't display activity-related personal information on your profiles", the endpoint should either return an empty result or a 404/403 response for unauthenticated viewers, consistent with how the private profile page itself behaves [ref_id=1].
Preconditions
- configThe target user must have enabled the 'Don't display activity-related personal information on your profiles' setting (private profile).
- inputThe attacker must know the target user's username.
- authNo authentication is required; the endpoint is accessible to unauthenticated users.
Reproduction
1. Log in to GitLab and navigate to Settings. Check "Don't display activity-related personal information on your profiles" and save. 2. Open a private/incognito browser window and navigate to `https://gitlab.com/users/:username/starred.json` (replace `:username` with the target's username). 3. Observe that the JSON response lists the user's starred projects, even though the profile is private [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26408.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/33563mitrex_refsource_MISC
- hackerone.com/reports/703894mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.