CVE-2021-39930
Description
Missing authorization in GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 allowed an attacker to access a user's custom project and group templates
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in GitLab EE allows unauthenticated access to users' custom project and group templates, leaking private group info.
Vulnerability
The available_group_templates endpoint in GitLab EE lacks proper authorization checks, allowing any user to access another user's custom project and group templates. This affects GitLab EE versions between 12.4 and 14.3.6, between 14.4.0 and 14.4.4, and between 14.5.0 and 14.5.2 [1].
Exploitation
An attacker can send a GET request to /users/<target_username>/available_group_templates without valid authentication or authorization. The endpoint returns the target user's private group templates and associated project names, as demonstrated in the HackerOne report [1]. No special privileges or user interaction is required beyond knowing a valid username.
Impact
Successful exploitation leaks the target user's private group names and project templates, exposing sensitive organizational structure and project naming conventions. This is a confidentiality breach with no direct impact on integrity or availability.
Mitigation
The vulnerability is fixed in GitLab EE versions 14.3.6, 14.4.4, and 14.5.2. Users should upgrade to these versions or later. No workaround is documented. The issue is not listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.4, <14.3.6; >=14.4.0, <14.4.4; >=14.5.0, <14.5.2
- Range: >=12.4, <14.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in the `available_group_templates` endpoint allows any user to access another user's private custom project and group templates."
Attack vector
An unauthenticated or unauthorized attacker sends a GET request to `/users/
Affected code
The endpoint `/users/:username/available_group_templates` introduced for custom project and group templates lacked access control checks [ref_id=1]. The issue was reported via HackerOne report #475240 and assigned to `asaba` [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the fix would require adding authorization checks to the `available_group_templates` endpoint to verify that the requesting user has permission to view the target user's custom project and group templates [ref_id=1]. The vulnerability was addressed in GitLab EE versions 14.3.6, 14.4.4, and 14.5.2.
Preconditions
- inputThe attacker must know or guess a target username on the GitLab instance
- configThe target user must have custom project or group templates configured
- authNo authentication or authorization is required — the endpoint is publicly accessible
Reproduction
1. Log in to gitlab.com (or any affected GitLab EE instance). 2. Visit `https://gitlab.com/users/
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39930.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/26103mitrex_refsource_MISC
- hackerone.com/reports/475240mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.