[Bug][Security?] Arbitrary issue comments can be injected by modifying URL parameters

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

Steps to reproduce

Find a comment from any issue. Copy its URL. Example: !176262 (comment 2756782212)
Go to any other issue. Example: #570765
Modify url to include arbitary note in the url hash parameters. Example: #note_2756782212
Gitlab will render the note like part of the issue: Example: #570765 (comment 2756782212)

The note doesn't have to be even issue note, can be merge request note, like I included in the example.

This could be considered security issue where input is not validated, but I don't see what harm it can be done with this. Unless some social engineering.

The second bug, how I accidentally stumbled on this, is that the system events (label changes) have a very low note ID value:

#570765 (comment 26941)

Output of checks

reproduced on GitLab.com

High-severity bug remediation

@gitlab-bot label typebug

Edited Sep 28, 2025 by 🤖 GitLab Bot 🤖