PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1322 Hackerone CVE debrief

GitLab has remediated an authorization issue in GitLab CE/EE that could have allowed an authenticated user with a read_api-scoped OAuth application to create issues and add comments in private projects. The advisory covers GitLab versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. Although the CVSS score is Medium, the impact is meaningful for organizations that rely on private GitLab projects and OAuth integrations.

Vendor
Hackerone
Product
Unknown
CVSS
MEDIUM 6.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-14
Advisory published
2026-05-14
Advisory updated
2026-05-14

Who should care

GitLab administrators, DevOps and platform teams, and security owners managing GitLab CE/EE instances—especially environments that use OAuth applications, private projects, or delegated integrations with read_api scope.

Technical summary

The issue is described as improper authorization in GitLab CE/EE. An authenticated user with a read_api-scoped OAuth application could create issues and add comments to issues in private projects, which indicates a breakdown in access-control enforcement around issue-related actions. The affected range starts at 16.0 and extends through the fixed releases 18.9.7, 18.10.6, and 18.11.3. The advisory does not describe availability impact; the reported impact is on confidentiality and integrity of private project issue data.

Defensive priority

Medium-high operational priority: the CVSS score is 6.8/Medium, but the exposure involves private-project authorization and can undermine trust in issue tracking and collaboration workflows. Prioritize remediation if your GitLab instance supports OAuth apps or hosts sensitive private projects.

Recommended defensive actions

  • Upgrade GitLab CE/EE to 18.11.3, 18.10.6, 18.9.7, or later, depending on your release track.
  • Inventory OAuth applications and review any use of read_api scope; disable or remove unnecessary integrations.
  • Review private-project issue and comment activity around the exposure window for unexpected authored actions.
  • Check GitLab authentication and application logs for issue/comment actions tied to OAuth applications or accounts with read_api access.
  • Confirm the instance is fully patched across all nodes and supporting components, then verify the deployed version after maintenance.

Evidence notes

The vulnerability description and fixed versions come from the GitHub Advisory Database entry for GHSA-27g3-rwx2-w54w, which cites the NVD record, a HackerOne report, and the GitLab patch release announcement. The NVD entry provides the CVSS vector (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N) and published timing. Use the official CVE and NVD pages and the GitLab release note for validation.

Official resources

Publicly disclosed on 2026-05-14 06:31:33 UTC, with the NVD record published earlier the same day at 06:16:21 UTC. The advisory is based on the published CVE and associated GitLab remediation references.