GitLab Enterprise Edition (EE) 11.3 and later up to and including 12.5 allows an Insecure Direct Object Reference (IDOR).
gitlab gitlab