Unauthorized - A "planner" role can "View code review analytics" at Gitlab Private Projects (which is contrary to written docs/permissions)

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2921111 by weasterhacker on 2025-01-03, assigned to @ngeorge1:

Report | Attachments | How To Reproduce

Report

Unauthorized - A "planner" role can "View code review analytics" at Gitlab Private Projects (which is contrary to written docs/permissions)

Hi team ,

According to Gitlab permission and docs -View code review analytics required "reporter role" or higher role .

docs - https://docs.gitlab.com/ee/user/analytics/code_review_analytics.html

pemission matrix - https://docs.gitlab.com/ee/user/permissions.html

But here Attacker with only "planner" role was able to "View code review analytics" at Victim user Private Project.

Steps -

As Victim User :

1. Create a Group and Project ( private with ultimate plan )

2. create a merge request or issue on project

3. now invite attacker with "planner" role at group/project

As Attacker -

1. Create a A account at https://gitlab.com

2. now navigate - https://gitlab.com/group/project/-/analytics/code_reviews

see attacker with only "planner" was able to View code review analytics at Victim user private project which only meant to access "reporter or higher roles .

Impact -

A user with planner role was able to View code review analytics which is meant to access "reporter or higher roles at gitlab private projects .

Impact

A user with planner role was able to View code review analytics which is meant to access "reporter or higher roles at gitlab private projects .

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• Screenshot_20250103_173243_Chrome.jpg
• Screenshot_20250103_173558_Chrome.jpg

How To Reproduce

Please add reproducibility information to this section: