{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14595", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2025-12-12T16:33:40.328Z", "datePublished": "2026-03-25T16:34:43.856Z", "dateUpdated": "2026-03-27T14:58:40.717Z"}, "containers": {"cna": {"title": "Missing Authorization in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control"}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://[email protected]:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "18.6", "status": "affected", "lessThan": "18.8.7", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.3", "versionType": "semver"}, {"version": "18.10", "status": "affected", "lessThan": "18.10.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862: Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://hackerone.com/reports/3457779", "name": "HackerOne Bug Bounty Report #3457779", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/583971"}, {"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above."}], "credits": [{"lang": "en", "value": "Thanks [kamikaze1337](https://hackerone.com/kamikaze1337) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-25T16:34:43.856Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T14:58:30.286645Z", "id": "CVE-2025-14595", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:58:40.717Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14595", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T14:58:30.286645Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T14:58:37.199Z"}}], "cna": {"title": "Missing Authorization in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [kamikaze1337](https://hackerone.com/kamikaze1337) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://[email protected]:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "18.6", "lessThan": "18.8.7", "versionType": "semver"}, {"status": "affected", "version": "18.9", "lessThan": "18.9.3", "versionType": "semver"}, {"status": "affected", "version": "18.10", "lessThan": "18.10.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above."}], "references": [{"url": "https://hackerone.com/reports/3457779", "name": "HackerOne Bug Bounty Report #3457779", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/583971"}, {"url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-03-25T16:34:43.856Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14595", "state": "PUBLISHED", "dateUpdated": "2026-03-27T14:58:40.717Z", "dateReserved": "2025-12-12T16:33:40.328Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-03-25T16:34:43.856Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "DEB82ED4-D7EE-476D-B925-3B1244A34599", "versionEndExcluding": "18.8.7", "versionStartIncluding": "18.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E97386DE-180F-4FD1-AC93-F3263F55C540", "versionEndExcluding": "18.8.7", "versionStartIncluding": "18.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "96F7E7EC-4C2E-4A48-8134-9262B251C89C", "versionEndExcluding": "18.9.3", "versionStartIncluding": "18.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C3240349-67A3-43E2-BAD9-EFAA3E0A5D31", "versionEndExcluding": "18.9.3", "versionStartIncluding": "18.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:community:*:*:*", "matchCriteriaId": "D5B6ECC9-6AEA-4DD0-B12B-A3A7A9FE91DA", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:18.10.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2B8DF779-B99E-4096-B734-78AB1849D136", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that under certain conditions could have allowed an authenticated user with Planner role to view security category metadata and attributes in group security configuration due to improper access control"}], "id": "CVE-2025-14595", "lastModified": "2026-03-26T18:28:05.517", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-25T17:16:27.363", "references": [{"source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/"}, {"source": "[email protected]", "tags": ["Broken Link"], "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/583971"}, {"source": "[email protected]", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3457779"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.6,18.8.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.9,18.9.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.10,18.10.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitLab", "source": "cna", "vendor": "GitLab"}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-03-26T19:52:53.868244+00:00", "value": {"mitigation_remediation": ["Upgrade GitLab to version 18.8.7, 18.9.3, 18.10.1, or later"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access to Security Configuration Data"}, "threat_synthesis": {"affected_systems": "The affected versions are all releases from 18.6 up to, but not including, 18.8.7; from 18.9 up to, but not including, 18.9.3; and from 18.10 up to, but not including, 18.10.1. Both the Community and Enterprise builds are impacted, as indicated by the CPE entries for version 18.10.0 and earlier.", "description_and_impact": "GitLab\u2019s Enterprise and Community editions contain an access control flaw that allows an authenticated user with a Planner role to view security category metadata and attributes in group security configuration. This improper authorization vulnerability exposes confidential configuration information that could give an attacker insight into the organization\u2019s security posture. The weakness is classified as CWE-862 and can lead to unintended disclosure of sensitive data.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate impact, while the EPSS score of less than 1% suggests a low likelihood of real\u2011world exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, further implying limited known exploitation. Attackers must first obtain authenticated credentials with Planner permissions, meaning social engineering or credential compromise is required. Because the flaw only reveals configuration data and does not provide code execution or privilege escalation, the primary concern is confidentiality loss rather than a direct compromise of the system. Nonetheless, organizations should prioritize patching to eliminate this information disclosure risk."}}}}, "created": "2026-03-25T21:46:48.371048+00:00", "updated": "2026-03-27T09:30:20.509434+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}