Leak confidential/private issues' titles of public projects
:warning: **Please read [the process](https://gitlab.com/gitlab-org/release/docs/-/blob/master/general/security/engineer.md) on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.** **[HackerOne report #3515716](https://hackerone.com/reports/3515716)** by `yvvdwf` on 2026-01-18, imported by @katwu: [Report](#report) | [Attachments](#attachments) | [How To Reproduce](#how-to-reproduce) ## HackerOne Analyst Summary ## Summary of the issue The researcher found unauthorized user can view other user's confidential issue title created in public project, via merge request comment HTML source code. ## Steps to reproduce 1. As the **victim**, sign in **victim's** GitLab account -> Create a **public** project -> In project **General Settings** -> Expand **Visibility, project features, permissions** -> Change **Issues** visibility to `Only Project Members` -> **Save changes**: ![3515716-Step1-victim-change-issues-visibility.png](https://h1.sec.gitlab.net/a/84e46f18-566b-4be6-b46c-21d5693e4f43/3515716-Step1-victim-change-issues-visibility.png) 2. As the **victim**, in project **Issues**, create a **Confidential** issue with any title -> Get **victim's** issue URL: ![3515716-Step2-victim-create-confidential-issue.png](https://h1.sec.gitlab.net/a/5f8e259a-2dfe-44e8-ba32-ced17c5d387b/3515716-Step2-victim-create-confidential-issue.png) 3. As the **attacker**, sign in **attacker's** GitLab account -> Go to **victim's** issue. You can see **attacker** cannot view it, as expected: ![3515716-Step3-attacker-cannot-view-victim-issue.png](https://h1.sec.gitlab.net/a/3cf95a5d-e2e9-4144-9b21-f05f52fbd380/3515716-Step3-attacker-cannot-view-victim-issue.png) 4. As the **attacker**, create a **private** project -> Make any change and start a merge request in the **attacker's** project -> Get **attacker's** merge request URL: ![3515716-Step4-attacker-create-merge-request.png](https://h1.sec.gitlab.net/a/a0f47da3-8389-48db-9b00-07ebf02c9b9a/3515716-Step4-attacker-create-merge-request.png) 5. As the **attacker**, in the merge request comment, add following content: - Replace `ATTACKER_MERGE_REQUEST_URL` with **attacker's** merge request URL from previous step - Replace `VICTIM_ISSUE_URL` with **victim's** issue URL from Step 2 ```html <dl> <a href="ATTACKER_MERGE_REQUEST_URL"> <li> mr <a href="VICTIM_ISSUE_URL">issue</a> </li> </a> </dl> ``` ![3515716-Step5-attacker-add-comment.png](https://h1.sec.gitlab.net/a/4325d502-daab-4bb5-b5cc-ed437dcf599f/3515716-Step5-attacker-add-comment.png) 6. As the **attacker**, check HTML source code of the comment. You can see **victim's** confidential issue title disclosed: ![3515716-Step6-attacker-view-victim-confidential-issue-tile.png](https://h1.sec.gitlab.net/a/90106a2c-fdcd-4afd-8628-69ea1ece9cf7/3515716-Step6-attacker-view-victim-confidential-issue-tile.png) ## Impact statement Unauthorized user can view other user's confidential issue title created in public project. If you have any questions or concerns about this report, feel free to assign it to `H1 Triage` via the action picker with a comment indicating your request. ## Original Report A Banzai reference keeps its inner html content in [`link_content_html`](https://gitlab.com/gitlab-org/gitlab/-/blob/24e1797bbcc461981a69329451c208fd6f703b91/lib/banzai/filter/references/abstract_reference_filter.rb#L161). This content is not redacted even if itself is a reference to a confidential or private issue, e.g., attackers can access to its title. ### Reproduce #### As victim: - Create a _public_ project, then set its `Issues` access to `Only Project Members` ![1.png](https://h1.sec.gitlab.net/a/e1504953-5a0e-44fa-9909-fd48cfbb20dc/1.png) - Create a confidential issue ![2.png](https://h1.sec.gitlab.net/a/6c76864e-e001-4162-9d26-9defdb236f83/2.png) #### As attacker - Create a new project, create some modification then create a new merge request on that project. Note the url of the merge request ![3.png](https://h1.sec.gitlab.net/a/ba4ae7ab-d1eb-45f4-a972-0264f0321d47/3.png) - Create a new comment on the merge request using the following content (you need to switch to `plain text editing` before enter the content) + the first `href` is the url of the merge request + the second `href` is the url of the victim's confidential issue (as the project is public, its name `root/banzai-leak` is available; the issue number `1` can be enumerated) ```html <dl> <a href="http://gl.lo:2080/user/banzai-ref/-/merge_requests/1"> <li> mr <a href="http://gl.lo:2080/root/banzai-leak/-/issues/1">issue</a> </li> </a> </dl> ``` ![4.png](https://h1.sec.gitlab.net/a/0835724b-15c2-46a8-b645-0c56ca29cab5/4.png) - After saving the comment, inspect `mr` element (see figure below), you should see the confidential issue's title ![5.png](https://h1.sec.gitlab.net/a/72f2e33e-747b-4e20-84b5-6251b9eb5234/5.png) #### Impact Access to any private or confidential issues' titles of any public project ## Attachments **Warning:** Attachments received through HackerOne, please exercise caution! * [1.png](https://h1.sec.gitlab.net/a/e1504953-5a0e-44fa-9909-fd48cfbb20dc/1.png) * [3.png](https://h1.sec.gitlab.net/a/ba4ae7ab-d1eb-45f4-a972-0264f0321d47/3.png) * [2.png](https://h1.sec.gitlab.net/a/6c76864e-e001-4162-9d26-9defdb236f83/2.png) * [4.png](https://h1.sec.gitlab.net/a/0835724b-15c2-46a8-b645-0c56ca29cab5/4.png) * [5.png](https://h1.sec.gitlab.net/a/72f2e33e-747b-4e20-84b5-6251b9eb5234/5.png) ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues
issue