Zero Day MonitorZDM

← Back to list

4.3

CVE-2026-2104EXPLOITEDPATCHED

gitlab · gitlab

Authorization Bypass Through User-Controlled Key in GitLab

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks.

Affected Products

Vendor	Product	Versions
gitlab	gitlab	18.2, 18.9, 18.10, 18.8.8, 18.9.4, 18.10.2

References

https://hackerone.com/reports/3541476(technical-description, exploit, permissions-required)
https://gitlab.com/gitlab-org/gitlab/-/work_items/589021
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/

Related News (1 articles)

Tier C

VulDB2h ago

CVE-2026-2104 | GitLab Community Edition/Enterprise Edition up to 18.8.8/18.9.4/18.10.2 authorization

→ No new info (linked only)

CVSS 3.14.3 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

18.8.918.9.518.10.3

CWECWE-639

PublishedApr 8, 2026

Last enriched2h agov2

Trending Score47

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-1516EXP

Improper Control of Generation of Code ('Code Injection') in GitLab

CRITICALCVE-2026-5173EXP

Exposed Dangerous Method or Function in GitLab

CRITICALCVE-2025-12664EXP

Improper Validation of Specified Quantity in Input in GitLab

HIGHCVE-2025-9484

Missing Authorization in GitLab

HIGHCVE-2026-1101

Improper Validation of Specified Quantity in Input in GitLab

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 8, 2026

Discovered by ZDM

Apr 8, 2026

Actively Exploited

Apr 8, 2026

Patch Available

Apr 8, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 9, 2026

Version History

v2

Last enriched 2h ago

v2Tier C2h ago

Updated affected versions to include 18.8.8, 18.9.4, and 18.10.2, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseverityactivelyExploited

via VulDB

v14h ago

Initial creation