CVE-2025-13874 Hackerone CVE debrief

Who should care

GitLab CE/EE administrators, security teams, and project owners who rely on Guest-role access controls should prioritize this advisory, especially if Guest access is enabled across many projects or sensitive issues are stored in GitLab.

Technical summary

This is an access-control bypass classified by CWE-639 (Authorization Bypass Through User-Controlled Key). The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating a network-reachable issue requiring low-privilege authenticated access and resulting in limited confidentiality impact. According to the advisory text, a Guest user could view issues in projects outside their authorization boundary.

Defensive priority

Medium. The vulnerability requires authenticated access, but it undermines project-level confidentiality and can expose issue content to users with only Guest permissions.

Recommended defensive actions

• Upgrade GitLab CE/EE to 18.9.7, 18.10.6, or 18.11.3, depending on your release line.
• Verify whether Guest access is enabled on any projects that contain sensitive issue data.
• Review project membership and permission assignments for accounts with Guest roles.
• Audit issue visibility and access controls in projects where Guest users are present.
• Use the official GitLab release note and advisory references to confirm remediation status across your deployments.

Evidence notes

Source material consistently states that GitLab CE/EE versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 were affected. The advisory describes an authenticated Guest user being able to view issues in projects they were not authorized to access. NVD lists the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N and CWE-639. Dates used here reflect the CVE/source publication timestamps provided: 2026-05-14.

Official resources