CVE-2026-2370
Modified
Modified - Updated After Analysis
Improper Authorization in GitLab Jira Connect Enables Credential Theft
Vulnerability report for CVE-2026-2370, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-03-30
Last updated on: 2026-06-30
Assigner: GitLab Inc.
Description
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab app due to improper authorization checks.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.9.0 (inc) to 18.9.3 (exc) |
| gitlab | gitlab | 18.10.0 |
| gitlab | gitlab | From 18.9.0 (inc) to 18.9.3 (exc) |
| gitlab | gitlab | 18.10.0 |
| gitlab | gitlab | From 14.3.0 (inc) to 18.8.7 (exc) |
| gitlab | gitlab | From 14.3.0 (inc) to 18.8.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-233 | The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined. |