{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9484", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2025-08-26T08:33:31.412Z", "datePublished": "2026-04-08T22:27:17.831Z", "dateUpdated": "2026-04-09T13:03:18.113Z"}, "containers": {"cna": {"title": "Missing Authorization in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "versions": [{"version": "16.6", "status": "affected", "lessThan": "18.8.9", "versionType": "semver"}, {"version": "18.9", "status": "affected", "lessThan": "18.9.5", "versionType": "semver"}, {"version": "18.10", "status": "affected", "lessThan": "18.10.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862: Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/565363", "name": "GitLab Issue #565363", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/3303810", "name": "HackerOne Bug Bounty Report #3303810", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above."}], "credits": [{"lang": "en", "value": "Thanks [mateuszek](https://hackerone.com/mateuszek) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-08T22:27:17.831Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:03:07.698784Z", "id": "CVE-2025-9484", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:03:18.113Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9484", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T13:03:07.698784Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:03:13.335Z"}}], "cna": {"title": "Missing Authorization in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [mateuszek](https://hackerone.com/mateuszek) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "16.6", "lessThan": "18.8.9", "versionType": "semver"}, {"status": "affected", "version": "18.9", "lessThan": "18.9.5", "versionType": "semver"}, {"status": "affected", "version": "18.10", "lessThan": "18.10.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to versions 18.8.9, 18.9.5, 18.10.3 or above."}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/565363", "name": "GitLab Issue #565363", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/3303810", "name": "HackerOne Bug Bounty Report #3303810", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-04-08T22:27:17.831Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9484", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:03:18.113Z", "dateReserved": "2025-08-26T08:33:31.412Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-04-08T22:27:17.831Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries."}], "id": "CVE-2025-9484", "lastModified": "2026-04-08T23:16:57.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-04-08T23:16:57.343", "references": [{"source": "cve@gitlab.com", "url": "https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/"}, {"source": "cve@gitlab.com", "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/565363"}, {"source": "cve@gitlab.com", "url": "https://hackerone.com/reports/3303810"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.6,18.8.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.9,18.9.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[18.10,18.10.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitLab", "source": "cna", "vendor": "GitLab"}, "product": "gitlab", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-04-09T00:50:54.146352+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading to GitLab 18.8.9, 18.9.5, or 18.10.3 or newer.", "If an upgrade cannot be performed immediately, block or limit access to GraphQL endpoints that expose user email addresses until the patch is applied."], "summary": {"action": "Patch Immediately", "impact": "Email data exposure"}, "threat_synthesis": {"affected_systems": "Affected versions of GitLab Enterprise Edition range from 16.6 through 18.8.8, 18.9.4, and 18.10.2. All releases prior to 18.8.9, 18.9.5, and 18.10.3 contain the flaw. Applying the vendor\u2019s patch by upgrading to version 18.8.9, 18.9.5, 18.10.3, or any later release removes the vulnerability.", "description_and_impact": "The vulnerability stems from missing authorization in certain GraphQL queries within GitLab Enterprise Edition, allowing any authenticated user to retrieve the email addresses of other users. This flaw exposes personally identifying information that can be misused in credential\u2011recovery or social\u2011engineering attacks. The weakness is classified as an authorization failure (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no public exploitation known. Because the exploit requires only authenticated access, any user with valid credentials could abuse the flaw; however, the lack of a publicly disclosed exploit reduces immediate risk."}}}}, "created": "2026-04-09T08:16:06.365009+00:00", "updated": "2026-04-09T08:25:32.461522+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitlab"]}