CVE-2025-9484
Description
GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GitLab EE information disclosure vulnerability allows authenticated users to access other users' email addresses via crafted GraphQL queries.
CVE-2025-9484 is an information disclosure vulnerability in GitLab Enterprise Edition (EE) affecting versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3. The root cause lies in improper access control within GraphQL resolvers, which under certain circumstances permits authenticated users to query email addresses that should be restricted to other users.
Exploitation requires an authenticated user on the affected GitLab instance. The attacker sends specially crafted GraphQL queries to the API, bypassing intended visibility restrictions. The exact conditions that enable the leak are not publicly detailed, but the bug does not require administrative privileges or special network access beyond standard authentication.
A successful attack allows the malicious user to retrieve email addresses of other users, potentially leading to privacy breaches, targeted phishing campaigns, or further reconnaissance. The exposure of email addresses is considered a medium-severity issue (CVSS 3.1 base score 4.3).
GitLab has addressed the vulnerability in versions 18.10.3, 18.9.5, and 18.8.9, which were released on April 8, 2026. Self-managed installations are strongly recommended to upgrade immediately; GitLab.com and GitLab Dedicated customers are already protected or have no action required. No workarounds have been announced for unpatched versions [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*+ 1 more
- cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*range: >=16.6.0,<18.8.9
- (no CPE)range: >=16.6 <18.8.9, >=18.9 <18.9.5, >=18.10 <18.10.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/nvdVendor AdvisoryRelease Notes
- gitlab.com/gitlab-org/gitlab/-/issues/565363nvdBroken Link
- hackerone.com/reports/3303810nvdPermissions Required
News mentions
1- GitLab Patch Release: 18.10.3, 18.9.5, 18.8.9GitLab Security Releases · Apr 8, 2026