CVE-2026-4524
CWE-288Published: May 14, 2026· Updated: May 15, 2026
Official Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to access confidential issue content in public projects without proper authorization due to improper authorization checks.
Technical Analysis
CVE-2026-4524 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in complete confidentiality breach (data exposure), with a CVSS base score of 6.5.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
News & Research Mentioning CVE-2026-4524
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2026-45247 (CVSS score: 9.8), is a case of deserialization of untrusted [xlite_meta score:43 src:The Hacker News xlite_fp:6c4777657230cef450cbe6c25b9a255b7b7627129069afe855e7219d2445f44a]
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-45247 Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protec [xlite_meta score:48 src:CISA Alerts xlite_fp:447d4e3130c810969d80aa7dd8378f4d09df2c594b40184a1595e357e130bc24]
All References (3)
Quick Facts
Related CVEs (CWE-288)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-4524 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts