CVE-2021-39941
Description
An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE leaked the default branch name to non-project members in projects restricting repository access to members only.
Vulnerability
An information disclosure vulnerability (CVE-2021-39941) affects GitLab Community Edition (CE) and Enterprise Edition (EE) versions 12.0 through 14.3.6, 14.4 through 14.4.4, and 14.5 through 14.5.2. The bug allows non-project members to see the default branch name for projects that restrict repository access to project members. The issue was introduced when the default branch name was inadvertently exposed in the HTML body through attributes such as data-find-file, data-autocomplete-project-ref, or the hidden repository_ref input field, even when the user did not have permission to view the repository itself [1].
Exploitation
An attacker needs only to be a non-member or guest user of a public project that has configured its repository access to "Only Project Members". No authentication or special privileges are required beyond being able to view the project overview page. The attacker can visit the project's main page (e.g., https://gitlab.example.com//), inspect the HTML source, and read the default branch name from attributes such as data-find-file or data-autocomplete-project-ref, or from the hidden repository_ref input element. The issue was reproduced by sending a simple curl request to the project page and grepping for the expected default branch value [1].
Impact
The attacker gains knowledge of the project's default branch name, which may leak information about the project's development state, release process, or even sensitive branch naming conventions. This constitutes a low-to-medium severity information disclosure, as the attacker does not obtain any repository contents or commit data, but can learn metadata that should be hidden when repository access is restricted. The vulnerability was assigned a CVSS score of 4.3 (Medium) by GitLab.
Mitigation
Mitigation is available by upgrading GitLab CE/EE to version 14.3.6, 14.4.4, or 14.5.2, depending on the deployment track. These versions were released on 2021-12-13 and contain the fix that removes the default branch name from pages viewed by users without repository access [1]. There is no workaround available for unpatched instances; upgrading is the only remediation. The issue was reported via HackerOne (report #706361) and was tracked internally as issue #33864.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.0, <=14.3.6, >=14.4, <=14.4.4, >=14.5, <=14.5.2
- Range: >=12.0, <14.3.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The default branch name is embedded in the project page HTML (in hidden input fields and data attributes) regardless of whether the requesting user has permission to view the repository."
Attack vector
An attacker who is a non-member or guest user visits a project's main page (e.g., `https://gitlab.com/
Affected code
The vulnerability exists in the project details page HTML rendering. The default branch name is leaked through hidden input fields and data attributes in the page body, specifically the `repository_ref` hidden input and the `data-autocomplete-project-ref` attribute on the search autocomplete element [ref_id=1].
What the fix does
The advisory states the issue was resolved, but no patch diff is included in the bundle. The fix likely involved conditionally omitting the `repository_ref` hidden input and related data attributes from the page HTML when the requesting user lacks repository access. The remediation ensures that no repository metadata—including the default branch name—is exposed to users who do not have permission to view the repository [ref_id=1].
Preconditions
- configThe target project must have its repository visibility set to 'Only Project Members' (or equivalent restriction)
- authThe attacker must be a non-member or guest user of the project
- networkThe attacker must be able to make HTTP requests to the GitLab instance and view the project's main page HTML
Reproduction
1. Create a public project with repository access set to "Only Project Members". 2. As a non-member, visit the project's main page (e.g., `https://gitlab.com/
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39941.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/33864mitrex_refsource_MISC
- hackerone.com/reports/706361mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.