CVE-2026-3160

Exploit

EPSS 0.01%
Veröffentlicht 14.05.2026 05:35:57
Zuletzt bearbeitet 16.05.2026 03:34:41
Quelle cve@gitlab.com
CVE-Watchlists
Login
Unerledigt
Login

Unintended Proxy or Intermediary ('Confused Deputy') in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 6 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gitlab ≫ GitLab SwEditioncommunity Version >= 13.7.0 < 18.9.7

Gitlab ≫ GitLab SwEditionenterprise Version >= 13.7.0 < 18.9.7

Gitlab ≫ GitLab SwEditioncommunity Version >= 18.10.0 < 18.10.6

Gitlab ≫ GitLab SwEditionenterprise Version >= 18.10.0 < 18.10.6

Gitlab ≫ GitLab SwEditioncommunity Version >= 18.11.0 < 18.11.3

Gitlab ≫ GitLab SwEditionenterprise Version >= 18.11.0 < 18.11.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.027

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@gitlab.com	5.8	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released/

Release Notes

https://hackerone.com/reports/3566042

Permissions Required

https://gitlab.com/gitlab-org/gitlab/-/work_items/591354

Not Applicable

https://nvd.nist.gov/vuln/detail/CVE-2026-3160

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3160

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3160

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-3160