CVE-2026-1724

EUVD-2026-15484
GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an unauthenticated user to access API tokens of self-hosted AI models due to improper access control.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
GitLabCNA
6.8 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
gitlabgitlab
18.5.0 ≤
𝑥
< 18.8.7
gitlabgitlab
18.9.0 ≤
𝑥
< 18.9.3
gitlabgitlab
18.10.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/
https://gitlab.com/gitlab-org/gitlab/-/work_items/588334
https://hackerone.com/reports/3531412