CVE-2020-26412

Vulnerability

In GitLab EE starting from version 13.2 before 13.6.2, a vulnerability allowed removed group members to access updated information on confidential epics through the To-Do functionality. Specifically, when a user who had previously added a confidential epic to their To-Do list was subsequently removed from the group, their To-Do entries retained the ability to fetch the latest details of that epic via the API. This affects GitLab EE versions 13.2.0 through 13.6.1.

Exploitation

An attacker must first have been a group member and added a confidential epic as a To-Do item. The group owner then removes the attacker from the group. After removal, the attacker can query the To-Do API endpoint (e.g., GET /api/v4/todos) using their personal access token to retrieve updated information about the epic, including label changes, description modifications, and other confidential updates.

Impact

Successful exploitation leads to unauthorized information disclosure of confidential epic data. The attacker, who no longer has access to the group or the epic, can still monitor changes to the epic's metadata, breaking the confidentiality guarantees of GitLab's group and epic permissions.

Mitigation

The vulnerability is fixed in GitLab EE version 13.6.2 and later [1]. Users should upgrade to the latest available version. No workaround is documented; the only remedy is to apply the patch by updating GitLab.