diff --git a/CHANGELOG b/CHANGELOG
index 775ea606813fb45a2a77c9325a87a1d26a8f24c5..eb5a5f7fcf48f060096ab3a5ea8a286e2471f72d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -23,6 +23,9 @@ v 8.10.0 (unreleased)
   - Allow [ci skip] to be in any case and allow [skip ci]. !4785 (simon_w)
   - Add basic system information like memory and disk usage to the admin panel
 
+v 8.9.4 (unreleased)
+  - Ensure references to private repos aren't shown to logged-out users
+
 v 8.9.3
   - Fix encrypted data backwards compatibility after upgrading attr_encrypted gem. !4963
   - Fix rendering of commit notes. !4953
diff --git a/app/models/concerns/mentionable.rb b/app/models/concerns/mentionable.rb
index f00b5b8497c13ab5bc576cb5d74b7742c9624948..8cac47246db63cfd6c3bd9bedb38c8ff56f5bc76 100644
--- a/app/models/concerns/mentionable.rb
+++ b/app/models/concerns/mentionable.rb
@@ -45,7 +45,7 @@ module Mentionable
 
   def all_references(current_user = nil, text = nil, extractor: nil)
     extractor ||= Gitlab::ReferenceExtractor.
-      new(project, current_user || author)
+      new(project, current_user)
 
     if text
       extractor.analyze(text, author: author)
diff --git a/app/services/todo_service.rb b/app/services/todo_service.rb
index 239bd17a035aaa34344b417b4383c344f2f7ffab..6bb0a72d30ebd1ec8a60304940b5c8db5f18eae5 100644
--- a/app/services/todo_service.rb
+++ b/app/services/todo_service.rb
@@ -237,7 +237,7 @@ class TodoService
   end
 
   def filter_mentioned_users(project, target, author)
-    mentioned_users = target.mentioned_users
+    mentioned_users = target.mentioned_users(author)
     mentioned_users = reject_users_without_access(mentioned_users, project, target)
     mentioned_users.delete(author)
     mentioned_users.uniq
diff --git a/spec/models/concerns/mentionable_spec.rb b/spec/models/concerns/mentionable_spec.rb
index cb33edde820d225b73a6fa529ef77aafa714a95c..0344dae8b5d13e40238115bedb4e3445d24eec9c 100644
--- a/spec/models/concerns/mentionable_spec.rb
+++ b/spec/models/concerns/mentionable_spec.rb
@@ -29,6 +29,43 @@ describe Issue, "Mentionable" do
     it { is_expected.not_to include(user2) }
   end
 
+  describe '#referenced_mentionables' do
+    context 'with an issue on a private project' do
+      let(:project) { create(:empty_project, :public) }
+      let(:issue) { create(:issue, project: project) }
+      let(:public_issue) { create(:issue, project: project) }
+      let(:private_project) { create(:empty_project, :private) }
+      let(:private_issue) { create(:issue, project: private_project) }
+      let(:user) { create(:user) }
+
+      def referenced_issues(current_user)
+        text = "#{private_issue.to_reference(project)} and #{public_issue.to_reference}"
+
+        issue.referenced_mentionables(current_user, text)
+      end
+
+      context 'when the current user can see the issue' do
+        before { private_project.team << [user, Gitlab::Access::DEVELOPER] }
+
+        it 'includes the reference' do
+          expect(referenced_issues(user)).to contain_exactly(private_issue, public_issue)
+        end
+      end
+
+      context 'when the current user cannot see the issue' do
+        it 'does not include the reference' do
+          expect(referenced_issues(user)).to contain_exactly(public_issue)
+        end
+      end
+
+      context 'when there is no current user' do
+        it 'does not include the reference' do
+          expect(referenced_issues(nil)).to contain_exactly(public_issue)
+        end
+      end
+    end
+  end
+
   describe '#create_cross_references!' do
     let(:project) { create(:project) }
     let(:author)  { double('author') }