A GitLab instance runner's maintenance note can be seen by other users via the API and GraphQL

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3173328 by iamgk808 on 2025-06-01, assigned to @katwu:

Report | Attachments | How To Reproduce

Report

Summary

In a GitLab self-managed instance, on the CI/CD > Runners page, we can view the details of a runner where an administrator can add a note called Maintenance Note. This note is intended to be visible only to administrators. However, I found that any user can see the Maintenance Note via the API and GraphQL

Steps to reproduce

• Use GitLab self-instance

• two users - admin, attacker

admin steps

1. As admin, go to admin area > CI/CD>runners

2. Click on create instance runner and add some details in the Maintenance note & click on create runner
   

3. On the next page, just don't do anything and click on View Runners
   

4. Note the ID of the runner from the page URL (The runner ID is just an incremental numerical ID, so it's easy to guess)
   

attacker steps

1. Log in as attacker

2. Now visit http://localhost/api/v4/runners/5, where localhost is replaced with your instance URL & 5 is the runner ID
   

3. Open http://localhost/-/graphql-explorer & use this below request

query {  
  runner(id: "gid://gitlab/Ci::Runner/5") {  
    id  
    description  
    maintenanceNoteHtml  
    maintenanceNote  
     
  }  
}

Impact

The instance runner's maintenance note is seen by non-admin users

Examples

What is the current bug behavior?

The instance runner's maintenance note is seen by non-admin users

What is the expected correct behavior?

Only admins should see the maintenance notes

Relevant logs and/or screenshots

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

Results of GitLab environment info

GitLab information  
Version:        18.0.1-ee  
Revision:       3426be1b938  
Directory:      /opt/gitlab/embedded/service/gitlab-rails  
DB Adapter:     PostgreSQL  
DB Version:     16.8  
URL:            http://localhost  
HTTP Clone URL: http://localhost/some-group/some-project.git  
SSH Clone URL:  git@localhost:some-group/some-project.git  
Elasticsearch:  no  
Geo:            no  
Using LDAP:     no  
Using Omniauth: yes  
Omniauth Providers:

GitLab Shell  
Version:        14.42.0  
Repository storages:  
- default:      unix:/var/opt/gitlab/gitaly/gitaly.socket  
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell

Gitaly  
- default Address:      unix:/var/opt/gitlab/gitaly/gitaly.socket  
- default Version:      18.0.1  
- default Git Version:  2.49.0.gl2  

Impact

The instance runner's maintenance note is seen by non-admin users

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• image.png
• image.png
• image.png
• image.png
• image.png
• image.png

How To Reproduce

Please add reproducibility information to this section:

Proposal

After discussing in the Fleet Visibility weekly meeting, we decided to go forward with:

1. Changing the UI to mention that the field is visible to runner maintainers (as opposed to administrators)
2. Locking down the respective fields in GraphQL and REST API runner type so that the field is only visible to runner maintainers.