CVE-2026-3160— Unintended Proxy or Intermediary ('Confused Deputy') in GitLab
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-3160
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unintended Proxy or Intermediary ('Confused Deputy') in GitLab
Source: NVD (National Vulnerability Database)
Vulnerability Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
未有动机的代理或中间人(混淆代理)
Source: NVD (National Vulnerability Database)
Vulnerability Title
GitLab 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
GitLab是美国GitLab公司的一个端到端软件开发平台,具有内置的版本控制、问题跟踪、代码审查、CI/CD(持续集成和持续交付)等功能。 GitLab CE/EE 13.7至18.9.7之前版本、18.10至18.10.6之前版本和18.11至18.11.3之前版本存在安全漏洞,该漏洞源于集成过滤器仅作为显示控制而非强制执行访问边界,可能导致认证用户查看指定项目范围之外的Jira问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-3160
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-3160
请登录查看更多情报信息。
Same Patch Batch · GitLab · 2026-05-14 · 24 CVEs total
| CVE-2026-7481 | 8.7 HIGH | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gi |
| CVE-2026-7377 | 8.7 HIGH | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gi |
| CVE-2026-6073 | 8.7 HIGH | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gi |
| CVE-2025-14869 | 7.5 HIGH | Improper Validation of Specified Quantity in Input in GitLab |
| CVE-2025-14870 | 7.5 HIGH | Allocation of Resources Without Limits or Throttling in GitLab |
| CVE-2026-1659 | 7.5 HIGH | Allocation of Resources Without Limits or Throttling in GitLab |
| CVE-2026-1322 | 6.8 MEDIUM | Business Logic Errors in GitLab |
| CVE-2026-1184 | 6.5 MEDIUM | Deserialization of Untrusted Data in GitLab |
| CVE-2026-8280 | 6.5 MEDIUM | Allocation of Resources Without Limits or Throttling in GitLab |
| CVE-2026-4524 | 6.5 MEDIUM | Authentication Bypass Using an Alternate Path or Channel in GitLab |
| CVE-2026-4527 | 6.5 MEDIUM | Cross-Site Request Forgery (CSRF) in GitLab |
| CVE-2026-6335 | 5.4 MEDIUM | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Gi |
| CVE-2025-12669 | 5.4 MEDIUM | Improper Control of Generation of Code ('Code Injection') in GitLab |
| CVE-2026-3607 | 4.3 MEDIUM | Access Control Check Implemented After Asset is Accessed in GitLab |
| CVE-2026-8144 | 4.3 MEDIUM | Missing Authorization in GitLab |
| CVE-2026-6063 | 4.3 MEDIUM | Authorization Bypass Through User-Controlled Key in GitLab |
| CVE-2026-3074 | 4.3 MEDIUM | Authorization Bypass Through User-Controlled Key in GitLab |
| CVE-2026-3073 | 4.3 MEDIUM | Authorization Bypass Through User-Controlled Key in GitLab |
| CVE-2026-1338 | 4.3 MEDIUM | Authorization Bypass Through User-Controlled Key in GitLab |
| CVE-2025-13874 | 4.3 MEDIUM | Authorization Bypass Through User-Controlled Key in GitLab |
Showing top 20 of 24 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: GitLab
- CVE-2025-12669
Improper Control of Generation of Code ('Code Injection') in - CVE-2025-13874
Authorization Bypass Through User-Controlled Key in GitLab - CVE-2025-14869
Improper Validation of Specified Quantity in Input in GitLab - CVE-2025-14870
Allocation of Resources Without Limits or Throttling in GitL - CVE-2026-1184
Deserialization of Untrusted Data in GitLab
Same vendor: GitLab
- CVE-2025-12669
Improper Control of Generation of Code ('Code Injection') in - CVE-2025-13874
Authorization Bypass Through User-Controlled Key in GitLab - CVE-2025-14869
Improper Validation of Specified Quantity in Input in GitLab - CVE-2025-14870
Allocation of Resources Without Limits or Throttling in GitL - CVE-2026-1184
Deserialization of Untrusted Data in GitLab
Same weakness: CWE-441
- CVE-2026-45003
OpenClaw < 2026.4.22 - Connector Endpoint Host Override via - CVE-2026-44992
OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override vi - CVE-2026-42313
pyload-ng: non-admin SETTINGS users can redirect all outboun - CVE-2026-45182
GrapheneOS 安全漏洞 - CVE-2026-41365
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API
V. Comments for CVE-2026-3160
No comments yet