Unrated severityNVD Advisory· Published Sep 1, 2023· Updated Apr 27, 2026
Direct Request ('Forced Browsing') in GitLab
CVE-2023-4018
Description
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*range: 16.2
- (no CPE)range: >=16.2, <16.2.5 || >=16.3, <16.3.1
Patches
Vulnerability mechanics
References
2- hackerone.com/reports/2083440mitretechnical-descriptionexploitpermissions-required
- gitlab.com/gitlab-org/gitlab/-/issues/420301mitreissue-trackingpermissions-required
News mentions
1- GitLab Security Release: 16.3.1, 16.2.5, and 16.1.5GitLab Security Releases · Aug 31, 2023