CVE-2025-13781 MEDIUM

CVE-2025-13781: Missing Authorization in GitLab

Vendor Gitlab

Product GitLab

Weakness CWE-862 · Missing authorization

Published January 9, 2026

Last update January 9, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.

Key dates

02Disclosure timeline

January 9, 2026 CVE published

January 9, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-13781

Related vulnerabilities

04Related CVE

CVE-2025-22592 WordPress 1003 Mortgage Application plugin <= 1.87 - Broken Access Control vulnerability CVE-2024-13423 Sparkling <= 2.4.9 - Missing Authorization to Unauthenticated Arbitrary Plugin Activation/Deactivation CVE-2022-2350 Disable User Login <= 1.0.1 - Unauthenticated Settings Update CVE-2025-68521 WordPress WpStream plugin <= 4.9.5 - Broken Access Control vulnerability CVE-2024-1122 Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin <= 3.3.50 - Missing Authorization to Unauthenticated Events Export

Identifiers

CVE CVE-2025-13781

CWE CWE-862

CVSS 6.5 / MEDIUM

Affected versions

Vendor Gitlab

Product GitLab

Affected ≥ 18.5 and < 18.5.5

Vendor Gitlab

Product GitLab

Affected ≥ 18.6 and < 18.6.3

Vendor Gitlab

Product GitLab

Affected ≥ 18.7 and < 18.7.1