Merge request titles visible publicly despite being set as project members only

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2357370 by ashish_r_padelkar on 2024-02-07, assigned to @ottilia_westerlund:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

It is possible for anyone to see Merge Request titles despite setting it as only project members visibility.

Steps to reproduce

1.Create a public project.
2.Set the repository as Everyone with access but set merge requests as Only Project Members.

3.Create a new branch at https://gitlab.com/<NameSpace>/<ProjectName>/-/branches and then merge request using that branch.
4.Now visit the URL without login in https://gitlab.com/<NameSpace>/<ProjectName>/-/branches and hover over the merge request icon like below.

5.You will see merge request title.

Examples

You can see my test poc here https://gitlab.com/groupjan2024/Janproject/-/branches where i have set merge request visibility to only project members yet you see the titles.

What is the current bug behavior?

Merge request titles visible publicly despite being set as project members only

What is the expected correct behavior?

Only project members should see the merge request titles

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Merge request titles visible publicly despite being set as project members only

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: