CVE-2025-2246: 
GitLab vulnerability analysis and mitigation

A security vulnerability identified as CVE-2025-2246 was discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1. The vulnerability was disclosed on August 27, 2025, and allows unauthenticated users to access sensitive manual CI/CD variables through the GraphQL API (NVD, GitLab Release).

The vulnerability is classified as a Missing Authorization issue (CWE-862) that affects the GraphQL endpoint. It received a CVSS v3.1 base score of 5.3 (Medium) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, while GitLab assessed it at 5.8 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N. The vulnerability specifically allows unauthorized access to sensitive CI/CD variables through GraphQL API queries (NVD).

The vulnerability enables unauthenticated users to access sensitive manual CI/CD variables stored in GitLab instances. This unauthorized access to configuration variables could potentially lead to exposure of sensitive information used in continuous integration and continuous deployment pipelines (GitLab Release).

GitLab has released patches in versions 18.1.5, 18.2.5, and 18.3.1 to address this vulnerability. Users are strongly recommended to upgrade to these patched versions immediately. GitLab.com has already been updated with the security fix, and GitLab Dedicated customers do not need to take any action (GitLab Release).

The vulnerability was initially reported through GitLab's HackerOne bug bounty program by security researcher 'pwnie'. GitLab has classified this as a medium-severity issue and included it in their scheduled security release (GitLab Release).