Unrated severityNVD Advisory· Published Nov 6, 2023· Updated Apr 23, 2026

Insertion of Sensitive Information Into Sent Data in GitLab

CVE-2023-5831

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the super_sidebar_logged_out feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GitLab CE/EE versions with the super_sidebar_logged_out feature flag enabled may leak version metadata to unauthenticated users via the new sidebar.

Vulnerability

An issue in GitLab CE/EE affects versions 16.0 to 16.3.6, 16.4 to 16.4.2, and 16.5.0 to 16.5.1 when the super_sidebar_logged_out feature flag is enabled (default disabled). The new sidebar performs an unconditional version check, exposing GitLab version metadata in the DOM to unauthorized actors [1].

Exploitation

An attacker requires no authentication or special privileges. On a public GitLab instance with the feature flag enabled, simply browsing the instance triggers the version check, leaking version information in the DOM. No user interaction beyond accessing the instance is needed [1].

Impact

Successful exploitation results in disclosure of the GitLab version metadata. This information can be used by attackers to identify and target specific version-dependent vulnerabilities. No other confidentiality, integrity, or availability impact is described [1].

Mitigation

Fixed in GitLab versions 16.3.6, 16.4.2, and 16.5.1. Users should upgrade to these or later versions. As a workaround, ensure the super_sidebar_logged_out feature flag remains disabled (its default state). No KEV listing is associated with this CVE [1].

References

Prevent calling version.gitlab.com from the new sidebar (#428919) · Issues · GitLab.org / GitLab · GitLab

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

GitLab Inc./GitLabv5
cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Range: 16.0
GitLab Inc./CE/EEllm-fuzzy
Range: >= 16.0, < 16.3.6 || >= 16.4, < 16.4.2 || >= 16.5.0, < 16.5.1
osv-coords
pkg:bitnami/gitlab
Range: >= 16.0.0, < 16.3.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gitlab.com/gitlab-org/gitlab/-/issues/428919mitreissue-trackingpermissions-required

News mentions

GitLab Security Release: 16.5.1, 16.4.2, 16.3.6
GitLab Security Releases · Oct 31, 2023

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000