CVE-2021-39886
2.6 LOWPermissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and u...
Published: 2021-10-05 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 2.6 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
- CWE
- CWE-276
Affected products
| Vendor | Product |
|---|---|
| gitlab | gitlab |
Description
Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39886
- [Vendor advisory]https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39886.json
- [Other]https://gitlab.com/gitlab-org/gitlab/-/issues/330520
- [Vendor advisory]https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39886.json
- [Other]https://gitlab.com/gitlab-org/gitlab/-/issues/330520
Related CVEs
Same vendor
- CVE-2026-9694 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.... (2.6 LOW)
- CVE-2026-9204 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19... (5.3 MEDIUM)
- CVE-2026-8589 — GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0... (7.3 HIGH)
- CVE-2026-7250 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19... (7.5 HIGH)
- CVE-2026-6976 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.... (3.7 LOW)
Same CWE
- CVE-2026-50255 — Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier (6.7 MEDIUM)
- CVE-2026-11931 — Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to ... (5.5 MEDIUM)
- CVE-2026-49157 — Incorrect Default Permissions vulnerability in Apache ActiveMQ (8.8 HIGH)
- CVE-2026-48191 — An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules... (3.5 LOW)
- CVE-2026-48190 — An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query ... (3.5 LOW)