CVE-2025-9484 - Vulnerability Details - OpenCVE

GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Gitlab	Gitlab

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Gitlab	Gitlab

References

Link	Providers
https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
https://gitlab.com/gitlab-org/gitlab/-/issues/565363
https://hackerone.com/reports/3303810

History

Wed, 08 Apr 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries.
Title		Missing Authorization in GitLab
First Time appeared		Gitlab Gitlab gitlab
Weaknesses		CWE-862
CPEs		cpe:2.3:a:gitlab:gitlab::::::::
Vendors & Products		Gitlab Gitlab gitlab
References		https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ https://gitlab.com/gitlab-org/gitlab/-/issues/565363 https://hackerone.com/reports/3303810
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitLab

Published: 2026-04-08T22:27:17.831Z

Updated: 2026-04-08T22:27:17.831Z

Reserved: 2025-08-26T08:33:31.412Z

Link: CVE-2025-9484

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-08T23:16:57.343

Modified: 2026-04-08T23:16:57.343

Link: CVE-2025-9484

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:25:32Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9484", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2025-08-26T08:33:31.412Z", "datePublished": "2026-04-08T22:27:17.831Z", "dateUpdated": "2026-04-08T22:27:17.831Z"}, "containers": {"cna": {"title": "Missing Authorization in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "16.6", "status": "affected", "lessThan": "18.8.9", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.5", "versionType": "semver"}, {"version": "18.10", "status": "affected", "lessThan": "18.10.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862: Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/565363", "name": "GitLab Issue #565363", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/3303810", "name": "HackerOne Bug Bounty Report #3303810", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above."}], "credits": [{"lang": "en", "value": "Thanks [mateuszek](https://hackerone.com/mateuszek) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-08T22:27:17.831Z"}}}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.6,18.8.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.9,18.9.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.10,18.10.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitLab", "source": "cna", "vendor": "GitLab"}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-04-09T00:50:54.146352+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to GitLab 18.8.9, 18.9.5, or 18.10.3 or newer.", "If an upgrade cannot be performed immediately, block or limit access to GraphQL endpoints that expose user email addresses until the patch is applied."], "summary": {"action": "Patch Immediately", "impact": "Email data exposure"}, "threat_synthesis": {"affected_systems": "Affected versions of GitLab Enterprise Edition range from 16.6 through 18.8.8, 18.9.4, and 18.10.2. All releases prior to 18.8.9, 18.9.5, and 18.10.3 contain the flaw. Applying the vendor\u2019s patch by upgrading to version 18.8.9, 18.9.5, 18.10.3, or any later release removes the vulnerability.", "description_and_impact": "The vulnerability stems from missing authorization in certain GraphQL queries within GitLab Enterprise Edition, allowing any authenticated user to retrieve the email addresses of other users. This flaw exposes personally identifying information that can be misused in credential\u2011recovery or social\u2011engineering attacks. The weakness is classified as an authorization failure (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no public exploitation known. Because the exploit requires only authenticated access, any user with valid credentials could abuse the flaw; however, the lack of a publicly disclosed exploit reduces immediate risk."}}}}, "created": "2026-04-09T08:16:06.365009+00:00", "updated": "2026-04-09T08:25:32.461522+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}