CVE-2020-26413

MEDIUM NUCLEI

GitLab CE/EE <13.6.2 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-26413. PoCs published by Kento-Sec. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2020-26413, an information disclosure vulnerability in GitLab's GraphQL API, allowing unauthenticated users to leak email addresses and usernames. The script sends a crafted GraphQL query to retrieve user data and supports both single-target and batch scanning.

Description

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL results in user email being unexpectedly visible.

Exploits (1)

nomisec WORKING POC 1 stars
by Kento-Sec · poc
https://github.com/Kento-Sec/GitLab-Graphql-CVE-2020-26413

This PoC exploits CVE-2020-26413, an information disclosure vulnerability in GitLab's GraphQL API, allowing unauthenticated users to leak email addresses and usernames. The script sends a crafted GraphQL query to retrieve user data and supports both single-target and batch scanning.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GitLab (versions affected by CVE-2020-26413)
No auth needed
Prerequisites: Network access to the GitLab instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Gitlab CE/EE 13.4 - 13.6.2 - Information Disclosure
MEDIUMby _0xf4n9x_,pikpikcu
Shodan: http.title:"GitLab" || cpe:"cpe:2.3:a:gitlab:gitlab" || http.title:"gitlab"
FOFA: title="gitlab"

References (3)

Core 3
Core References
Permissions Required x_refsource_misc
https://hackerone.com/reports/972355

Scores

CVSS v3 5.3
EPSS 0.3377
EPSS Percentile 98.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
gitlab/gitlab 13.4.0 - 13.6.2 (2 CPE variants)
Published Dec 11, 2020
Tracked Since Feb 18, 2026