Unrated severityNVD Advisory· Published Sep 1, 2023· Updated Nov 20, 2025

Cleartext Storage of Sensitive Information in GitLab

CVE-2023-3950

Description

An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab EE 16.2–16.3.1 leaks the Google Cloud Logging private key to other Group Owners viewing audit stream settings.

Vulnerability

In GitLab EE versions 16.2.0 through 16.2.5, and 16.3.0 through 16.3.1, the private key used to authenticate to Google Cloud Logging for audit event streaming destinations is displayed in plain text in the UI. When a Group Owner configures this destination, any other Group Owner viewing the audit stream settings can see the full private key. Affected versions are GitLab EE 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 [1].

Exploitation

An attacker who is a Group Owner of a GitLab group where Google Cloud Logging streaming has been configured can navigate to the group's audit events page (/groups/YOUR_GROUP/-/audit_events?tab=streams) and view the private key in plain text. No additional privileges or user interaction beyond being a Group Owner are required. The attacker must have access to the GitLab instance as a user with the Owner role for that group [1].

Impact

Successful exploitation allows a Group Owner to read the Google Cloud private key that authenticates the GitLab group to Google Cloud Logging. This key could be used to access the associated Google Cloud project resources, depending on the key's permissions, leading to unauthorized access to cloud logging data or other services. The impact crosses trust boundaries from GitLab to Google Cloud [1].

Mitigation

GitLab has addressed this issue by making the private key write-only in versions 16.2.5 and 16.3.1. Users should upgrade to GitLab EE 16.2.5 or 16.3.1 (or later). No workaround is available; anyone affected should rotate the exposed private key after upgrading. For self-managed instances, update to the fixed versions as soon as possible. GitLab.com was also updated to the fixed versions [1].

References

Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners (#419675) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./GitLabv5
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Range: 16.2
GitLab Inc./CE/EEllm-fuzzy
Range: >=16.2, <16.2.5; >=16.3, <16.3.1
osv-coords
pkg:bitnami/gitlab
Range: >= 16.2.0, < 16.2.5

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The Google Cloud Logging private key was displayed in plain text in the GitLab UI instead of being redacted, allowing other group owners to read the secret."

Attack vector

An attacker who is a Group Owner of a GitLab group that has Google Cloud Logging audit event streaming configured can view the private key in plain text by navigating to the group's audit events streaming page and expanding the configured destination [ref_id=1]. The key is displayed without any masking or redaction, unlike other secret inputs in GitLab [ref_id=1]. The attacker needs to be added as an owner of the group or already have owner-level access [ref_id=1].

Affected code

The bundle does not specify exact file paths or function names. The vulnerability exists in the Google Cloud Logging audit event streaming destination configuration UI, introduced in GitLab EE 16.2 [ref_id=1].

What the fix does

The fix ensures that the Google Cloud Logging private key is treated as a secret input — owners can write (set) the key but cannot read it back through the UI [ref_id=1]. The issue was addressed in GitLab EE versions 16.2.5 and 16.3.1 [ref_id=1]. No patch diff is included in the bundle, but the advisory states the key is now redacted from display, consistent with how GitLab handles other sensitive tokens and keys [ref_id=1].

Preconditions

authAttacker must be a Group Owner of the target GitLab group.
configThe group must have a Google Cloud Logging audit event streaming destination configured with a private key.

Reproduction

1. Create a user with Ultimate access and create a new group. 2. Navigate to the group's audit events streaming page and add a Google Cloud Logging destination with a fake private key. 3. Save the destination, then expand the created stream — the private key is shown in plain text. 4. Optionally, add another user as an owner of the group, log in as that user, and view the same page to see the key [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

hackerone.com/reports/2079154mitretechnical-descriptionexploitpermissions-required
gitlab.com/gitlab-org/gitlab/-/issues/419675mitreissue-tracking

News mentions

GitLab Security Release: 16.3.1, 16.2.5, and 16.1.5
GitLab Security Releases · Aug 31, 2023

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000