HIGHCVE-2026-2370Published 2026-03-29Modified 2026-03-30CNA GitLab

CVE-2026-2370: Improper Handling of Parameters in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 18.8.7
Affected Products: 1

Fix available

18.8.718.9.318.10.1

Affected packages

GitLab / GitLab
< 18.8.7 (from 14.3) · < 18.9.3 (from 18.9) · < 18.10.1 (from 18.10)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

HackerOne Bug Bounty Report #3522829
gitlab.com
about.gitlab.com

Metrics

Fix available