CVE-2026-1516
Received Received - Intake
Information Disclosure via Code Quality Reports in GitLab EE

Publication date: 2026-04-08

Last updated on: 2026-04-14

Assigner: GitLab Inc.

Description
GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1516
EUVD
EUVD-2026-20793
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gitlab gitlab From 18.9.0 (inc) to 18.9.5 (exc)
gitlab gitlab From 18.10.0 (inc) to 18.10.3 (exc)
gitlab gitlab From 18.0.0 (inc) to 18.8.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in GitLab Enterprise Edition (EE) versions before certain patched releases allows an authenticated user to leak IP addresses of other users who are viewing Code Quality reports. The leak occurs through specially crafted content within these reports.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of IP addresses of users viewing Code Quality reports. This could potentially expose user location or network information to an attacker with authenticated access, which may be used for further targeted attacks or privacy violations.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade GitLab EE to a fixed version. Specifically, update to version 18.8.9 or later if you are on the 18.8.x branch, 18.9.5 or later if on the 18.9 branch, or 18.10.3 or later if on the 18.10 branch.

This will prevent authenticated users from leaking IP addresses of users viewing Code Quality reports via specially crafted content.

Compliance Impact

This vulnerability could potentially impact compliance with data protection regulations such as GDPR and HIPAA because it allows an authenticated user to leak IP addresses of users viewing Code Quality reports. IP addresses are considered personal data under GDPR, and unauthorized disclosure could lead to violations of privacy and data protection requirements.

However, the provided information does not explicitly state the compliance implications or whether this vulnerability has been linked to any regulatory breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1516. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart