CVE-2026-11827 PUBLISHED

Insufficiently Protected Credentials in GitLab

Assigner: GitLab
Reserved: 09.06.2026 Published: 08.07.2026 Updated: 09.07.2026

GitLab has remediated an issue in GitLab EE affecting all versions from 9.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to obtain another user's stored credentials due to improper authorization controls.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 4.9

Product Status

Vendor GitLab
Product GitLab
Versions Default: unaffected
  • affected from 9.5 to 18.11.7 (excl.)
  • affected from 19.0 to 19.0.4 (excl.)
  • affected from 19.1 to 19.1.2 (excl.)

Solutions

Upgrade to versions 18.11.7, 19.0.4, 19.1.2 or above.

Credits

  • Thanks [rogerace](https://hackerone.com/rogerace) for reporting this vulnerability through our HackerOne bug bounty program finder

References

Problem Types

  • CWE-522: Insufficiently Protected Credentials CWE