CVE-2025-7736: 
GitLab vulnerability analysis and mitigation

GitLab has identified and remediated an Improper Access Control vulnerability (CVE-2025-7736) affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability affects all versions from 17.9 before 18.3.6, 18.4 before 18.4.4, and 18.5 before 18.5.2. This security issue was discovered and reported through GitLab's HackerOne bug bounty program by researcher mateuszek (GitLab Patch).

The vulnerability is characterized by an improper access control mechanism in GitLab Pages that could allow authenticated users to bypass access control restrictions. The issue specifically involves authentication through OAuth providers. The vulnerability has been assigned a CVSS score of 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating a low severity level with network attack vector, high attack complexity, and low privileges required (GitLab Patch).

The vulnerability could allow authenticated users to view GitLab Pages content that was intended only for project members. This unauthorized access could potentially expose sensitive information that was meant to be restricted to specific project members (GitLab Patch).

GitLab has released patches to address this vulnerability in versions 18.5.2, 18.4.4, and 18.3.6. Organizations running affected versions are strongly recommended to upgrade to the latest patched version immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take any action (GitLab Patch).