CVE-2026-0602

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.6 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to disclose metadata from private issues, merge requests, epics, milestones, or commits due to improper filtering in the snippet rendering process under certain circumstances.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/	Release Notes Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/work_items/585007	Broken Link
https://hackerone.com/reports/3486504	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*
	cpe:2.3:a:gitlab:gitlab:::::community:::*
	cpe:2.3:a:gitlab:gitlab:::::enterprise:::*

History

17 Mar 2026, 20:59

Type	Values Removed	Values Added
CPE		cpe:2.3:a:gitlab:gitlab:::::enterprise:::* cpe:2.3:a:gitlab:gitlab:::::community:::*
Summary		(es) GitLab ha remediado un problema en GitLab CE/EE que afectaba a todas las versiones desde la 15.6 anterior a la 18.7.6, la 18.8 anterior a la 18.8.6, y la 18.9 anterior a la 18.9.2 que podría haber permitido a un usuario autenticado divulgar metadatos de incidencias privadas, solicitudes de fusión, epics, hitos o commits debido a un filtrado inadecuado en el proceso de renderizado de snippets bajo ciertas circunstancias.
References	~~() https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/ -~~	() https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released/ - Release Notes, Vendor Advisory
References	~~() https://gitlab.com/gitlab-org/gitlab/-/work_items/585007 -~~	() https://gitlab.com/gitlab-org/gitlab/-/work_items/585007 - Broken Link
References	~~() https://hackerone.com/reports/3486504 -~~	() https://hackerone.com/reports/3486504 - Permissions Required
First Time		Gitlab Gitlab gitlab

11 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 16:16

Updated : 2026-03-17 20:59

NVD link : CVE-2026-0602

Mitre link : CVE-2026-0602

CVE.ORG link : CVE-2026-0602

JSON object : View

Products Affected

gitlab

gitlab

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

4.3 /10