Generation of Error Message Containing Sensitive Information in GitLab
Description
An information disclosure issue in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0 allows unauthenticated actors to access the import error information if a project was imported from GitHub.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab CE/EE 16.0.0–16.0.5 and 16.1.0 expose GitHub import error details to unauthenticated users via an unauthenticated endpoint.
Vulnerability
The failures action in Import::GithubController lacks authorization checks, allowing unauthenticated access to import error information for any project imported from GitHub [1]. This affects GitLab CE/EE versions from 16.0.0 prior to 16.0.6, and version 16.1.0.
Exploitation
An unauthenticated attacker can send a GET request to /import/github/failures?project_id=PROJECT_ID with a valid project ID that was imported from GitHub. No authentication or user interaction is required [1].
Impact
The attacker gains access to import error details, which may include sensitive information such as error messages, file paths, or other data exposed by the GitHub import process. This constitutes an information disclosure vulnerability [1].
Mitigation
Fixed in GitLab CE/EE versions 16.0.6 and later. No workaround is available; users should upgrade to a patched version [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=16.0, <16.0.6; =16.1.0
- Range: 16.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- gitlab.com/gitlab-org/gitlab/-/issues/415131mitreissue-tracking
News mentions
1- GitLab Security Release: 16.1.1, 16.0.6, and 15.11.10GitLab Security Releases · Jun 29, 2023