CVE-2020-26413
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE GraphQL endpoint leaks private user emails via the user query, fixed in 13.6.2.
Vulnerability
In GitLab CE/EE versions 13.4 through 13.6.1, the GraphQL API exposes the email field in the user query even when the user has configured their email as private. This allows any authenticated user to retrieve the private email address of any other user simply by knowing their username. The affected versions are all releases starting from 13.4 before 13.6.2 [1].
Exploitation
An attacker with a valid GitLab account can send a GraphQL query of the form query { user(username: "") { email } } to obtain the victim's email address, regardless of the victim's privacy settings. No further authentication or special privileges are required beyond a standard user account [1].
Impact
Successful exploitation results in the disclosure of private email addresses of all GitLab users. Attackers can leverage this information for targeted phishing, spam, or other malicious activities. The exposure violates user privacy expectations and can lead to further compromise if the email is used in social engineering attacks [1].
Mitigation
The vulnerability is fixed in GitLab CE/EE version 13.6.2. Users should upgrade to this version or later immediately. There are no known workarounds for versions prior to the fix [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3>=13.4, <13.6.2+ 1 more
- (no CPE)range: >=13.4, <13.6.2
- (no CPE)range: >=13.4, <13.4.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control check in the GraphQL user query resolver allows the `email` field to be returned regardless of the user's privacy setting."
Attack vector
An attacker sends a crafted GraphQL query supplying a victim's username and requesting the `email` field. The query `{ user(username: "<victim>") { email username } }` returns the victim's email address even when that user has configured their email as private. No authentication beyond a standard GitLab account is required, and the attacker only needs to know the target's username [ref_id=1].
Affected code
The GraphQL `user` query resolver exposes the `email` field without checking the target user's email visibility preference. The issue is in the GraphQL API layer that handles the `user` query, as shown in the HackerOne report [ref_id=1].
What the fix does
The advisory does not include a published patch diff. The remediation guidance from the vendor is to upgrade GitLab CE/EE to version 13.6.2 or later, which corrects the GraphQL resolver to respect the user's email privacy setting before returning the `email` field [ref_id=1].
Preconditions
- authAttacker must have a GitLab account (or be able to send unauthenticated GraphQL queries, depending on instance configuration).
- inputAttacker must know the victim's username.
- configVictim must have configured their email as private in their profile settings.
Reproduction
1. Log in to a GitLab instance running version 13.4 through 13.6.1. 2. Open the GraphQL explorer or send a POST request to `/api/graphql` with the query: `{ user(username: "<victim_username>") { email username } }` 3. Observe that the response includes the victim's email address even if the victim has set their email to private [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26413.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/244275mitrex_refsource_MISC
- hackerone.com/reports/972355mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.