CVE-2026-1080
Unauthorized Access via Iterations API in GitLab EE
Publication date: 2026-02-11
Last updated on: 2026-02-12
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.7.0 (inc) to 18.7.4 (exc) |
| gitlab | gitlab | From 18.8.0 (inc) to 18.8.4 (exc) |
| gitlab | gitlab | From 16.7.0 (inc) to 18.6.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab EE affects versions from 16.7 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4. Under certain conditions, it could allow an authenticated user to access iteration data from private descendant groups by querying the iterations API endpoint.
How can this vulnerability impact me? :
The impact of this vulnerability is that an authenticated user might gain unauthorized access to iteration data belonging to private descendant groups. This could lead to unintended disclosure of sensitive project iteration information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade GitLab EE to a fixed version. The issue is remediated in versions 18.6.6 and later for the 16.7 to 18.6 series, 18.7.4 and later for the 18.7 series, and 18.8.4 and later for the 18.8 series.