CVE-2025-14103 – This vulnerability allows unauthorized users wi... (How to Fix)

Q: What is the severity of CVE-2025-14103?

CVE-2025-14103 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows unauthorized users with Developer-role permissions to set pipeline variables for manually triggered jobs in GitLab. This affects GitLab CE/EE installations running vulnerable versions, potentially allowing manipulation of CI/CD pipeline execution.

📋 TL;DR

This vulnerability allows unauthorized users with Developer-role permissions to set pipeline variables for manually triggered jobs in GitLab. This affects GitLab CE/EE installations running vulnerable versions, potentially allowing manipulation of CI/CD pipeline execution.

💻 Affected Systems

Products:

GitLab Community Edition
GitLab Enterprise Edition

Versions: 17.7 to 18.7.4, 18.8 to 18.8.4, 18.9 to 18.9.0

Operating Systems: All platforms running GitLab

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Developer-role permissions and manually triggered jobs to exploit.

📦 What is this software?

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

Gitlab by Gitlab

GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...

Learn more about Gitlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could inject malicious pipeline variables to execute arbitrary code, exfiltrate secrets, or manipulate build artifacts in the CI/CD pipeline.

🟠

Likely Case

Unauthorized modification of pipeline variables leading to incorrect builds, data leakage, or disruption of development workflows.

🟢

If Mitigated

Limited impact with proper role-based access controls and pipeline validation in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Developer-level access and specific conditions with manually triggered jobs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.7.5, 18.8.5, or 18.9.1

Vendor Advisory: https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released/

Restart Required: Yes

Instructions:

1. Backup your GitLab instance. 2. Update to GitLab 18.7.5, 18.8.5, or 18.9.1 using your package manager. 3. Restart GitLab services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict Developer Permissions

all

Temporarily reduce Developer role permissions for pipeline management until patching.

Disable Manual Triggers

all

Temporarily disable manually triggered jobs in vulnerable pipelines.

🧯 If You Can't Patch

Implement strict role-based access control and audit Developer activities.
Monitor and validate all pipeline variable changes in logs.

🔍 How to Verify

Check if Vulnerable:

Check GitLab version via Admin Area or command line. If version falls within affected ranges, instance is vulnerable.

Check Version:

sudo gitlab-rake gitlab:env:info | grep 'GitLab version'

Verify Fix Applied:

Confirm GitLab version is 18.7.5, 18.8.5, or 18.9.1 or higher.

📡 Detection & Monitoring

Log Indicators:

Unauthorized pipeline variable modifications
Unexpected manual job triggers by Developer roles

Network Indicators:

Unusual API calls to pipeline endpoints from Developer accounts

SIEM Query:

source="gitlab" AND (event="pipeline_variable_set" OR event="job_triggered") AND user_role="Developer"

📊 Metadata

CVE ID: CVE-2025-14103

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: February 25, 2026

Last Updated: February 27, 2026

🔗 References

https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released/ Release Notes,Vendor Advisory
https://gitlab.com/gitlab-org/gitlab/-/issues/583053 Broken Link
https://hackerone.com/reports/3448317 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14103, you might also want to check these: