CVE-2026-2370: GitLab Jira Connect Credential Impersonation
A high-severity vulnerability has been disclosed in GitLab CE/EE, tracked as CVE-2026-2370 with a CVSS score of 8.1 (High). The flaw exists in GitLab's Jira Connect integration and affects all versions from 14.3 through 18.10, with patches available in 18.8.7, 18.9.3, and 18.10.1. An authenticated user with minimal workspace permissions can exploit the vulnerability to obtain Jira Connect installation credentials and use them to impersonate other users within the connected Jira workspace.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-2370 |
| CVSS Score | 8.1 (High) |
| Affected Component | GitLab Jira Connect Integration |
| Affected Versions | CE/EE 14.3 – 18.8.6, 18.9.0 – 18.9.2, 18.10.0 |
| Patched Versions | 18.8.7, 18.9.3, 18.10.1 |
| Attack Vector | Authenticated (minimal permissions required) |
| In-the-Wild Exploitation | Not confirmed at time of disclosure |
| Published | March 30, 2026 |
Technical Analysis
The vulnerability resides in the Jira Connect OAuth integration layer within GitLab. The Jira Connect feature allows GitLab projects to link with Atlassian Jira Software installations, enabling cross-referencing of issues, branches, commits, and merge requests between the two platforms.
To facilitate this integration, GitLab generates and stores installation credentials — secrets used to authenticate API calls from GitLab to the connected Jira installation. These credentials represent the bridge between the GitLab project context and the Jira workspace.
The core flaw is that the endpoint responsible for serving or validating Jira Connect installation state does not enforce sufficient authorization checks. An authenticated GitLab user with no more than basic membership permissions (e.g., Guest or Reporter role) can craft requests to retrieve the Jira Connect installation token or signing secret for a connected Jira installation.
Exploitation Path
1. Attacker holds any authenticated GitLab account (Guest-level or higher)
on a GitLab instance with Jira Connect configured
2. Attacker queries the GitLab Jira Connect integration endpoint — no
elevated permissions are required to access the credential material
3. Obtained installation credentials allow the attacker to generate signed
Jira Connect API requests authenticated as the GitLab integration
4. Attacker leverages the credentials to impersonate other users within the
connected Jira workspace — performing actions under their identity
5. Depending on Jira workspace permissions, impersonated actions may include
reading sensitive issues, modifying tickets, or accessing project dataScope and Prevalence
GitLab is one of the most widely deployed DevSecOps platforms globally, used across enterprise, government, and open-source communities. The Jira Connect integration is a commonly enabled feature in organizations that use both GitLab and Atlassian Jira for project and issue tracking.
The breadth of the affected version range — from GitLab 14.3 (released in 2021) through current 18.10.0 — means that a substantial portion of GitLab deployments worldwide could be vulnerable if not yet patched. Managed GitLab.com is typically updated promptly, but self-managed instances may lag behind.
Remediation
Primary Fix: Upgrade GitLab
GitLab has issued patched releases addressing CVE-2026-2370:
| Stream | Patched Version |
|---|---|
| 18.8.x | 18.8.7 |
| 18.9.x | 18.9.3 |
| 18.10.x | 18.10.1 |
Update your self-managed GitLab instance to one of these versions immediately.
# For Omnibus installations — check current version
gitlab-rake gitlab:env:info | grep "GitLab version"
# Upgrade via package manager (Debian/Ubuntu)
apt-get update && apt-get install gitlab-ee
# For GitLab Runner or source installations, follow the standard upgrade guideInterim Mitigations
If an immediate upgrade is not possible:
- Disable Jira Connect — navigate to Admin Area > Settings > Integrations and disable the Jira Connect application until the instance is patched
- Audit Jira Connect tokens — rotate any existing Jira Connect installation credentials through the Jira Software administration panel
- Review GitLab audit logs — check for unexpected API calls to Jira Connect integration endpoints from low-privilege accounts
Detection
Identify potential exploitation attempts in GitLab logs:
# GitLab Omnibus — check production and API logs for Jira Connect endpoint access
grep -i "jira_connect" /var/log/gitlab/gitlab-rails/production.log | \
grep -v "200" | tail -100
# Review API access log for anomalous Jira Connect requests
grep "jira_connect" /var/log/gitlab/gitlab-rails/api_json.log | \
python3 -c "import sys, json; [print(json.loads(l).get('username',''), json.loads(l).get('path',''), json.loads(l).get('status','')) for l in sys.stdin]"
# Check audit events for integration configuration access
gitlab-rails runner "AuditEvent.where(\"details LIKE '%jira_connect%'\").last(50).each { |e| puts e.details }"Impact Assessment
| Impact Area | Description |
|---|---|
| User Impersonation | Attacker can act as other users within the connected Jira workspace |
| Data Access | Access to Jira issues, project boards, and linked development data |
| Privilege Scope | Bounded by permissions of the impersonated Jira account |
| Attack Barrier | Requires authenticated GitLab account on an affected instance |
| Cascade Risk | Compromised Jira credentials may affect other Atlassian integrations |
Key Takeaways
- CVE-2026-2370 is a CVSS 8.1 High flaw in GitLab's Jira Connect integration allowing credential theft and user impersonation
- Affects a very wide version range: GitLab CE/EE from 14.3 all the way to 18.10.0
- Only an authenticated account with minimal permissions is required — no admin access needed
- Upgrade to 18.8.7, 18.9.3, or 18.10.1 immediately; rotate Jira Connect credentials if exploitation cannot be ruled out
- GitLab.com (SaaS) is typically patched automatically; self-managed instances require manual action