Insertion of Sensitive Information into Log File in GitLab

CVE	CVE-2026-12053
State	PUBLISHED
Assigner	GitLab
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-25 05:16:50 UTC
Updated	2026-06-25 16:01:47 UTC
Description	GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain conditions could have allowed a user to access sensitive information that had already been committed to a project, due to insufficient output filtering in Duo Workflows.

Primary CVSS: v3.1 8.6 HIGH from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem Types: CWE-532 | CWE-532 CWE-532: Insertion of Sensitive Information into Log File

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Secondary	8.6	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N`
3.1	CNA	CVSS	8.6	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Source	Vendor	Product	Version	Platforms
CNA	GitLab	GitLab	affected 19.1 19.1.1 semver	Not specified

Reference	Source	Link	Tags
docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released	[email protected]	docs.gitlab.com
gitlab.com/gitlab-org/gitlab/-/work_items/602194	[email protected]	gitlab.com
hackerone.com/reports/3757762	[email protected]	hackerone.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Thanks to [3nvz](https://hackerone.com/3nvz) and GitLab team member Dennis Appelt for reporting this vulnerability (en)

CNA: Upgrade to version 19.1.1 or above.

There are currently no legacy QID mappings associated with this CVE.