Zero Day MonitorZDM

← Back to list

4.3

CVE-2025-9484PATCHED

gitlab · gitlab

Missing Authorization in GitLab

Description

GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.

Affected Products

Vendor	Product	Versions
gitlab	gitlab	16.6, 18.9, 18.10, 18.8.8, 18.9.4, 18.10.2

References

https://gitlab.com/gitlab-org/gitlab/-/issues/565363(issue-tracking, permissions-required)
https://hackerone.com/reports/3303810(technical-description, exploit, permissions-required)
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2025-9484 | GitLab Enterprise Edition up to 18.8.8/18.9.4/18.10.2 Email Address authorization (Issue 565363)

→ No new info (linked only)

CVSS 3.14.3 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

18.8.918.9.518.10.3

CWECWE-862

PublishedApr 8, 2026

Last enriched4h agov2

Trending Score27

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2025-12664EXP

Improper Validation of Specified Quantity in Input in GitLab

CRITICALCVE-2026-1516EXP

Improper Control of Generation of Code ('Code Injection') in GitLab

CRITICALCVE-2026-5173EXP

Exposed Dangerous Method or Function in GitLab

HIGHCVE-2026-2104EXP

Authorization Bypass Through User-Controlled Key in GitLab

HIGHCVE-2026-1101

Improper Validation of Specified Quantity in Input in GitLab

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Patch Available

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Updated: affectedVersions, severity

Apr 9, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include 18.8.8, 18.9.4, and 18.10.2, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseverity

via VulDB

v15h ago

Initial creation