CVE-2026-2370
Published: 30 March 2026
Summary
CVE-2026-2370 is a high-severity Improper Handling of Parameters (CWE-233) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Application Access Token (T1528); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-24 requires the system to make correct access control decisions for sensitive resources like Jira Connect installation credentials, directly addressing the improper authorization checks exploited in this CVE.
AC-3 enforces approved authorizations in accordance with policy, preventing authenticated users with minimal permissions from obtaining and using installation credentials to impersonate the GitLab app.
AC-6 applies least privilege to limit access to installation credentials only to necessary roles, mitigating the risk of impersonation by minimally privileged workspace users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables theft of application installation credentials/tokens for impersonation (T1528 Steal Application Access Token).
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.3 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 affecting Jira Connect installations that could have allowed an authenticated user with minimal workspace permissions to obtain installation…
more
credentials and impersonate the GitLab app due to improper authorization checks.
Deeper analysisAI
CVE-2026-2370 is a vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE), affecting all versions from 14.3 prior to 18.8.7, 18.9 prior to 18.9.3, and 18.10 prior to 18.10.1. The flaw impacts Jira Connect installations due to improper authorization checks (CWE-233), which allow an authenticated user with minimal workspace permissions to obtain installation credentials and impersonate the GitLab application.
An authenticated attacker with minimal workspace permissions can exploit this issue remotely over the network (AV:N) with low attack complexity (AC:L), requiring no user interaction (UI:N) and maintaining unchanged scope (S:U). Exploitation yields high confidentiality (C:H) and integrity (I:H) impacts with no availability effects (A:N), as indicated by the CVSS v3.1 base score of 8.1, enabling the attacker to access sensitive credentials and act as the GitLab app.
GitLab has remediated the vulnerability through patches, including the release of GitLab 18.10.1. Further details on the fix and issue tracking are provided in the GitLab patch release notes at https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/, the internal work item at https://gitlab.com/gitlab-org/gitlab/-/work_items/589635, and the HackerOne disclosure report at https://hackerone.com/reports/3522829.
Details
- CWE(s)