Main Vulnerability Database Vulnerabilities #VU124608

#VU124608 Improper Access Control in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2025-14595

Published: March 25, 2026 / Updated: March 26, 2026

Vulnerability identifier: #VU124608

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-14595

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Gitlab Community Edition
GitLab Enterprise Edition

Software vendor:
GitLab, Inc

Description

The vulnerability allows a remote user to view security category metadata and attributes in group security configuration.

The vulnerability exists due to improper access control in the GraphQL API when handling queries under certain conditions. A remote user with Planner role can send a specially crafted GraphQL query to view security category metadata and attributes in group security configuration.

Authentication and specific role (Planner) are required to exploit this vulnerability.

Remediation

Install security update from vendor's website.

External links

https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/

#VU124608 Improper Access Control in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2025-14595

Description

Remediation

External links

Please verify you're human