The host is installed with Gitlab-ee after 11.5, before 12.1.14, 12.2.0 before 12.2.8, 12.3.0 before 12.3.5 and is prone to an improper access control vulnerability. A flaw is present in the application, which fails to handle group search feature provided by elasticsearch integration. Successful exploitation allows attackers to disclose private merge requests information.