Improper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups.

By admin