CVE-2021-22256
Description
Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE 12.6+ allows guest users to create issues for Sentry errors and track their status via a direct API request without required reporter permissions.
Vulnerability
All versions of GitLab Community Edition (CE) and Enterprise Edition (EE) from 12.6 to the date of the advisory (2021-08-25) contain an improper authorization vulnerability in the error tracking feature. While documentation states that only users with the Reporter role or higher may view or modify Sentry error details, the endpoint for creating issues from error tracking does not properly enforce this permission. A guest user can directly POST a crafted request with a valid Sentry error identifier and bypass the UI restriction [1].
Exploitation
An attacker must first have a Guest role account on a private project with Sentry error tracking enabled by a Maintainer. The Maintainer connects the project to Sentry and new errors are automatically populated in the error tracking list. The attacker then sends a POST request to the issue creation endpoint with parameters issue[title], issue[description], issue[sentry_issue_attributes][sentry_issue_identifier] (the Sentry error ID), and an authenticity_token. No special race condition or additional authentication beyond the guest session is needed [1].
Impact
A Guest user, who should have no access to error tracking data, is able to create a new GitLab issue linked to a specific Sentry error. Furthermore, the attacker can track the status of that error: when a user with higher privileges (such as a Maintainer) later resolves the Sentry error, GitLab will automatically close the issue created by the guest, allowing the guest to effectively stay informed about the error's resolution status. This violates the intended access control model [1].
Mitigation
GitLab addressed this vulnerability by fixing the authorization check. The issue was reported on 2021-03-05 and the fix was included in GitLab versions 14.0.4, 13.12.6, and 13.11.6, released on 2021-08-25. Users should upgrade to one of these patched versions or later. No workaround is available for unpatched versions [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.6
- Range: >=12.6, <13.12.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check on the "Create Issue" endpoint for Sentry errors allows Guest users to create issues linked to Sentry errors."
Attack vector
An attacker with only Guest role on a private project can craft a POST request to the issue creation endpoint, supplying a `sentry_issue_identifier` (the Sentry error ID) along with a title and description. Because the endpoint fails to verify that the user has at least Reporter permissions, the Guest user can create an issue linked to any Sentry error in the project. When a Maintainer later resolves the corresponding error in Sentry, the issue created by the Guest is automatically closed, allowing the Guest to track the error's status without authorization [ref_id=1].
Affected code
The vulnerability exists in the Error Tracking feature's issue creation endpoint. The issue tracker references the Sentry error integration, where the "Create Issue" action did not enforce the project-level permission check for Guest users. The advisory does not specify exact file paths or function names, but the affected code path is the controller or service handling the creation of issues linked to Sentry errors.
What the fix does
The advisory does not include a published patch diff. The remediation guidance implied by the issue report is to add an authorization check on the "Create Issue" endpoint for Sentry errors, ensuring that only users with at least the Reporter role (as documented in the GitLab permissions docs) can create issues linked to Sentry errors. No fix commit is shown in the bundle.
Preconditions
- authThe attacker must have a Guest role on a private GitLab project.
- configThe project must have Sentry integrated and errors must exist in the error tracking list.
- networkThe attacker must be able to send a crafted POST request to the issue creation endpoint.
- inputThe attacker must know a valid Sentry error ID for the project.
Reproduction
1. On a private project, log in as a Guest user. 2. Have a Maintainer connect Sentry to the project and generate errors in Sentry so they appear in the error tracking list. 3. As the Guest user, send a POST request to the issue creation endpoint with the following parameters: `issue[title]=Title`, `issue[description]=Description`, `issue[sentry_issue_attributes][sentry_issue_identifier]=
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-22256.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/326948mitrex_refsource_MISC
- hackerone.com/reports/1117768mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.