CVE-2026-8716
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated user could access CI data from a different ref type in GitLab CE/EE, affecting versions before 18.10.7, 18.11.4, and 19.0.1.
Vulnerability
The vulnerability exists in GitLab CE/EE, affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1. Under certain conditions, an authenticated user can access CI data from a ref type different than intended [1].
Exploitation
An attacker must be an authenticated user of the GitLab instance. The exact conditions are not detailed in the available references, but the issue involves accessing CI pipelines or jobs associated with a different ref (e.g., branch or tag) than the one they are authorized to view.
Impact
The impact is information disclosure, where an authenticated user can view CI data from other refs, potentially exposing sensitive information such as job logs or variables.
Mitigation
The issue is fixed in GitLab versions 18.10.7, 18.11.4, and 19.0.1 [1]. Users should upgrade to these versions or later. No workarounds are mentioned in the available reference.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=12.7, <19.0.1 or >=18.11, <18.11.4 or >=18.10.7, <19.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- about.gitlab.com/releases/2026/05/27/patch-release-gitlab-19-0-1-released/nvdRelease NotesVendor Advisory
News mentions
1- GitLab Patch Release: 19.0.1, 18.11.4, 18.10.7GitLab Security Releases · May 27, 2026