GitLab fixes Jira Connect credential leak enabling app impersonation

TL;DR — A GitLab Jira Connect authorization bug can expose installation credentials, enabling an authenticated low-privilege user to impersonate the GitLab app in affected setups.

What happened

GitLab is a widely used DevSecOps platform for hosting source code, CI/CD pipelines, and related workflow automation. A GitLab-published CVE record describes an issue impacting Jira Connect installations where an authenticated user with minimal workspace permissions could obtain installation credentials and then impersonate the GitLab app due to improper authorization checks.

The CVE reports CVSS v3.1 8.1 (High) with a network attack vector and low privileges required. Credential theft in developer-tool integrations is high blast radius: once an attacker can act as the “app,” they can often pivot into automation and workflow surfaces that engineers trust by default.

Who is impacted

• GitLab CE/EE installations using Jira Connect.
• Affected version ranges called out in the CVE record:

What to do now

• Follow vendor remediation guidance:

  • "Upgrade to versions 18.8.7, 18.9.3, 18.10.1 or above."

• Inventory where Jira Connect is enabled and identify which GitLab major/minor line you are on, since the CVE enumerates multiple fixed branches.
• Treat this as an integration-credential exposure risk:
  • Review Jira Connect / integration audit trails for unexpected installation-credential access patterns.
  • If you suspect exposure, rotate affected installation credentials/secrets using your normal GitLab/Jira operational process and re-establish trusted app identities.