Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Unauthorized access to pipeline variables in GitLab
CVE-2025-14103
Summary
An unauthorized user with Developer permissions could set sensitive pipeline variables for certain jobs, potentially affecting the security and integrity of your projects. This has been fixed in updated versions of GitLab. Make sure to update to the latest version of your GitLab installation to prevent this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gitlab | gitlab | > 17.7.0 , <= 18.7.5 | – |
| gitlab | gitlab | > 17.7.0 , <= 18.7.5 | – |
| gitlab | gitlab | > 18.8.0 , <= 18.8.5 | – |
| gitlab | gitlab | > 18.8.0 , <= 18.8.5 | – |
| gitlab | gitlab | 18.9.0 | – |
| gitlab | gitlab | 18.9.0 | – |
Original title
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer...
Original description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
- https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-release... Release Notes Vendor Advisory
- https://gitlab.com/gitlab-org/gitlab/-/issues/583053 Broken Link
- https://hackerone.com/reports/3448317 Permissions Required
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026