Improper Access Control in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2025-14595

 

Improper Access Control in Gitlab Community Edition and GitLab Enterprise Edition - CVE-2025-14595

Published: March 25, 2026 / Updated: March 26, 2026


Vulnerability identifier: #VU124608
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-14595
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: GitLab, Inc
Affected software:
Gitlab Community Edition
GitLab Enterprise Edition

Detailed vulnerability description

The vulnerability allows a remote user to view security category metadata and attributes in group security configuration.

The vulnerability exists due to improper access control in the GraphQL API when handling queries under certain conditions. A remote user with Planner role can send a specially crafted GraphQL query to view security category metadata and attributes in group security configuration.

Authentication and specific role (Planner) are required to exploit this vulnerability.


How to mitigate CVE-2025-14595

Install security update from vendor's website.

Sources