Cyber Resilience

CVE-2025-13772

High

Published: 09 January 2026

Published
09 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0001 0.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13772 is a high-severity Missing Authorization (CWE-862) vulnerability in Gitlab Gitlab. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2025-13772 is a missing authorization vulnerability (CWE-862) in GitLab Enterprise Edition (EE), affecting all versions from 18.4 prior to 18.5.5, 18.6 prior to 18.6.3, and 18.7 prior to 18.7.1. The flaw allows an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API requests. It has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. By crafting API requests with manipulated namespace identifiers, the attacker gains unauthorized read access to sensitive AI model settings in other namespaces (C:H) and limited ability to influence them (I:L), potentially exposing or tampering with AI configurations belonging to other projects or organizations.

GitLab has remediated the issue in patch releases including 18.5.5, 18.6.3, and 18.7.1, as detailed in the release notes at https://about.gitlab.com/releases/2026/01/07/patch-release-gitlab-18-7-1-released/ and the issue tracker at https://gitlab.com/gitlab-org/gitlab/-/issues/581268. Security practitioners should upgrade to these patched versions immediately to mitigate the risk.

The vulnerability's relevance to AI/ML stems from its impact on AI model settings, which could expose proprietary configurations in multi-tenant GitLab environments. No public information indicates real-world exploitation as of the CVE publication on 2026-01-09.

EU & UK References

Vulnerability details

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by…

more

manipulating namespace identifiers in API requests.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization flaw in public-facing GitLab web/API service directly enables exploitation of the application to access unauthorized data/configurations.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-9222Same product: Gitlab Gitlab
CVE-2024-9870Same product: Gitlab Gitlab
CVE-2026-0723Same product: Gitlab Gitlab
CVE-2026-1724Same product: Gitlab Gitlab
CVE-2026-3857Same product: Gitlab Gitlab
CVE-2025-13928Same product: Gitlab Gitlab
CVE-2025-0811Same product: Gitlab Gitlab
CVE-2025-14560Same product: Gitlab Gitlab
CVE-2025-0376Same product: Gitlab Gitlab
CVE-2025-7659Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
18.7.0 · 18.4.0 — 18.5.5 · 18.6.0 — 18.6.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on namespace identifiers in API requests so authenticated users cannot reach AI model settings outside their permitted namespaces.

prevent

Enforces information-flow rules between namespaces, blocking the unauthorized flow of AI model settings that the CVE exploits via manipulated identifiers.

prevent

Limits each account to the minimum namespaces required, reducing the impact surface an authenticated attacker can reach even if identifier checks are weak.

References