CVE-2021-39936
Description
Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper access control in GitLab allows a deploy token to read a project's wiki even when wikis are disabled.
Vulnerability
An improper access control vulnerability exists in GitLab CE/EE versions starting from 10.7 before 14.3.6, all versions from 14.4 before 14.4.4, and all versions from 14.5 before 14.5.2 [1]. The bug allows a deploy token without read_wiki scope to access a project's wiki repository, even if wikis have been explicitly disabled for that project [1].
Exploitation
An attacker who possesses a valid deploy token with at least read_repo scope can exploit this by cloning the project's wiki repository using the standard Git URL format (e.g., git clone https://<deploy_token>@gitlab.com/namespace/project.wiki.git) [1]. No additional authentication or user interaction is required [1].
Impact
Successful exploitation leads to unauthorized read access to the project's wiki content, including potentially sensitive information stored there [1]. The attacker gains the ability to read the wiki, even when the project owner has disabled wikis in an attempt to restrict access. This violates the intended access control model, as deploy tokens lack explicit wiki scopes and wikis can be disabled independently [1].
Mitigation
GitLab has fixed the vulnerability in versions 14.3.6, 14.4.4, and 14.5.2 [1]. Users should upgrade to one of these patched versions or later. As a workaround, project owners can revoke deploy tokens that do not require wiki access, or review and limit the scope of existing deploy tokens [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=10.7 <14.3.6, >=14.4 <14.4.4, >=14.5 <14.5.2
- Range: >=10.7, <14.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing access control check for wiki disabled state when authenticating via deploy tokens."
Attack vector
An attacker who possesses a valid deploy token (even one scoped only to read_repo) can clone a project's wiki repository by appending `.wiki.git` to the project URL [ref_id=1]. This works even when the project owner has disabled wikis in the project settings. The deploy token system does not enforce the project's wiki-disabled flag, nor does it require a dedicated `read_wiki` scope, so any token with repository access can bypass the wiki disable setting [ref_id=1].
Affected code
The advisory does not specify exact file paths or functions. The vulnerability exists in the deploy token authentication and authorization logic that handles access to project wiki repositories [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the fix required GitLab to add an access control check that verifies whether wikis are enabled for the project before allowing deploy-token-based access to the wiki repository [ref_id=1]. Additionally, a dedicated `read_wiki` deploy-token scope should be introduced so that token holders cannot read wikis unless explicitly granted that permission. The issue was resolved in GitLab versions 14.3.6, 14.4.4, and 14.5.2 [ref_id=1].
Preconditions
- authAttacker must possess a valid deploy token for the target project (any scope, e.g. read_repo)
- configProject wikis must be disabled in the project settings (though this is the condition the bug bypasses)
- networkNetwork access to the GitLab instance to clone the wiki repository
Reproduction
1. Create a private project on GitLab and disable wikis in the project settings. 2. Create a deploy token with only the `read_repo` scope. 3. Clone the project wiki using the deploy token: `git clone https://<deploy_token_name>:<deploy_token>@gitlab.com/<namespace>/<project>.wiki.git` [ref_id=1]. The clone succeeds despite wikis being disabled and the token lacking any wiki-specific scope.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39936.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/241767mitrex_refsource_MISC
- hackerone.com/reports/964057mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.