S4Nderdevelopment

**Name of the Vulnerable Software and Affected Versions** GitLab CE/EE versions 13.0 and later **Description** A privileged user can change the visibility level of a group or a project to a restricted option through an API call, even after the instance administrator sets that visibility option as restricted in settings. This issue affects all versions of GitLab CE/EE since version 13.0. **Recommendations** For GitLab CE/EE versions 13.0 and later, restrict access to the API endpoint that allows changing the visibility level of groups or projects until a patch is available. As a temporary workaround, consider disabling the ability for privileged users to modify visibility settings for groups and projects.