Iterations from unauthorized descendant groups can be disclosed via include_descendants.

⚠️ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #3484568 by go7f0 on 2026-01-02, imported by @fvpotvin:

Report | Attachments | How To Reproduce

HackerOne Analyst Summary

Summary

An access control issue exists in GitLab's iterations API endpoint that allows unauthorized disclosure of iteration data from private descendant groups. The vulnerability occurs when the include_descendants parameter is used in the /api/v4/groups/<parent_group_id>/iterations endpoint, which bypasses proper authorization checks for private child groups. When a parent group is configured as public but contains private child groups, authenticated users can retrieve iteration information from those private descendant groups despite lacking direct access permissions.

Steps to Reproduce

  1. Create a parent group that is configured as public visibility
  2. Within the parent group, create a child group with private visibility settings Screenshot_2026-01-02_at_9.54.47_AM.png
  3. Navigate to the private child group and access Plan → Iterations to create a new iteration cadence
    • Title: "test cadence"
    • Description: "test cadence"
    • Leave "Enable automatic scheduling" unchecked Screenshot_2026-01-02_at_9.49.29_AM.png
  4. Within the newly created cadence, add a new iteration Screenshot_2026-01-02_at_9.49.59_AM.png Screenshot_2026-01-02_at_9.50.21_AM.png
  5. Make an API request to the parent group's iterations endpoint with the include_descendants parameter: 
    GET /api/v4/groups/<parent_group>/iterations?include_ancestors=false&include_descendants=true

Screenshot_2026-01-02_at_10.01.23_AM.png

Impact

The vulnerability enables unauthorized access to iteration planning data from private descendant groups, potentially exposing project management information. This includes access to iteration titles, descriptions, and scheduling information.

Original Report

Summary

include_descendants allows users to retrieve iterations belonging to descendant groups they should not be able to access.

Steps to reproduce

Construction environment: parent_group is public, child_group is private.

__.png

Create new cadences in private-group Plan -> Iterations.

The Enable automatic scheduling option here can be checked or unchecked; for ease of distinction, it is left unchecked.

__.png

Add iteration in the newly created Cadence.

__.png

Enter sensitive content in the Title and Description fields.

__.png

At this point, since private-group is private, other regular accounts will receive a 404 error when attempting to access it.

__.png

However, since the parent group is public, the content of the iterations in the private group can be obtained through /api/v4/groups/<parent_group_id>/iterations?include_ancestors=false&include_descendants=false.

__.png

Impact

This enables unauthorized access to iteration data from descendant groups, potentially exposing private planning information across group boundaries.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

How To Reproduce

Please add reproducibility information to this section: