CVE-2023-1167
Description
Improper authorization in Gitlab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in MR.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE MR security reports are improperly accessible to unauthenticated users due to missing authorization.
Vulnerability
An improper authorization vulnerability exists in GitLab EE affecting versions 12.3.0 through 15.8.5, 15.9.0 through 15.9.4, and 15.10.0 through 15.10.1. The bug allows merge request (MR) security reports (such as SAST reports) to be viewable by any user, including unauthenticated visitors, without proper permission checks [1]. The issue is tracked in GitLab issue #392715 [1].
Exploitation
An attacker does not need any authentication or special privileges to exploit this vulnerability. By simply visiting a URL path to an MR security report (e.g., /gitlab-org/gitlab/-/merge_requests/109202/sast_reports) in an incognito browser window or any unauthenticated session, the report content is served without authorization checks [1]. No specific user interaction beyond navigating to the crafted URL is required.
Impact
Successful exploitation results in unauthorized disclosure of sensitive information contained in security reports. These reports may include vulnerability findings, code scanning results, and other security-related data that could aid an attacker in identifying weaknesses in the affected project or system. The confidentiality of the security reports is compromised to any anonymous user who can guess or enumerate MR security report URLs [1].
Mitigation
GitLab has fixed this issue in versions 15.8.5, 15.9.4, and 15.10.1 [1]. Users running GitLab EE should upgrade to the latest patched version immediately. No workaround is documented in the available references; applying the update is the recommended course of action [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=12.3.0, <15.8.5; >=15.9.0, <15.9.4; >=15.10.0, <15.10.1
- Range: >=12.3.0, <15.8.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check on merge request security report endpoints allows unauthenticated access."
Attack vector
An unauthenticated attacker can access security reports attached to a merge request by visiting the MR security report URL (e.g., `https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109202/sast_reports`) in an incognito or private browsing window [ref_id=1]. No login, session, or special privileges are required. The attacker simply needs to know or guess the merge request ID and the report endpoint path.
Affected code
The issue report [ref_id=1] identifies that merge request security report endpoints (e.g., `/merge_requests/109202/sast_reports`) lack proper authorization checks. No specific function or file is named in the bundle, but the vulnerability lies in the controller or policy layer that serves these report views.
What the fix does
The bundle does not include a patch diff. The advisory [ref_id=1] states that the expected correct behavior is that security reports should be available only to developers and above. The fix would involve adding an authorization check (e.g., a `before_action` or policy guard) to the merge request security reports controller so that only authenticated users with at least the Developer role on the project can view the reports.
Preconditions
- authNo authentication required; the attacker can be an unauthenticated or anonymous user.
- inputThe attacker must know or guess a valid merge request ID and the security report endpoint path (e.g., /merge_requests/ID/sast_reports).
- configThe target GitLab instance must be running an affected version (12.3.0 through 15.8.5, 15.9.0 through 15.9.4, or 15.10.0 through 15.10.1).
Reproduction
1. Open an incognito/private browsing window or any browser session where you are not logged in to GitLab. 2. Navigate to a merge request security report URL, for example `https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109202/sast_reports`. 3. Observe that the security report content is displayed without any authentication prompt [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.