SB20260325205 - Multiple vulnerabilities in GitLab Community Edition and Enterprise Edition

Description

This security bulletin contains information about 12 secuirty vulnerabilities.

1) Improper Access Control (CVE-ID: CVE-2026-2726)

The vulnerability allows a remote user to perform unauthorized actions on merge requests in other projects.

The vulnerability exists due to improper access control during cross-repository operations in merge requests when handling requests. A remote user can send a specially crafted request to perform unauthorized actions on merge requests in other projects.

2) Improper Authentication (CVE-ID: CVE-2026-4363)

The vulnerability allows a remote user to gain unauthorized access to resources.

The vulnerability exists due to improper caching of authorization decisions in authorization caching when handling requests under certain conditions. A remote user can send a specially crafted request to exploit stale or incorrect authorization cache entries and gain unauthorized access to resources.

3) Improper Access Control (CVE-ID: CVE-2025-14595)

The vulnerability allows a remote user to view security category metadata and attributes in group security configuration.

The vulnerability exists due to improper access control in the GraphQL API when handling queries under certain conditions. A remote user with Planner role can send a specially crafted GraphQL query to view security category metadata and attributes in group security configuration.

Authentication and specific role (Planner) are required to exploit this vulnerability.

4) Stored cross-site scripting (CVE-ID: CVE-2026-2973)

The vulnerability allows a remote user to execute arbitrary JavaScript in a user's browser.

The vulnerability exists due to improper sanitization of entity-encoded content in the Mermaid diagram renderer when rendering content. A remote user can inject malicious Mermaid diagrams containing encoded scripts, which when viewed by another user, execute arbitrary JavaScript in their browser.

5) Improper Access Control (CVE-ID: CVE-2026-2370)

The vulnerability allows a remote user to obtain installation credentials and impersonate the GitLab app.

The vulnerability exists due to improper authorization checks in Jira Connect installations when handling parameters. A remote user can send a specially crafted request to obtain installation credentials and impersonate the GitLab app.

6) Resource exhaustion (CVE-ID: CVE-2025-13078)

The vulnerability allows a remote user to cause a denial of service due to excessive resource consumption.

The vulnerability exists due to improper input validation in webhook configuration processing when handling certain webhook configuration inputs. A remote user can send a specially crafted webhook configuration to trigger excessive resource consumption and cause a denial of service.

7) Resource exhaustion (CVE-ID: CVE-2025-13436)

The vulnerability allows a remote user to cause a denial of service due to excessive resource consumption.

The vulnerability exists due to improper input validation in CI configuration processing when handling certain CI-related inputs. A remote user can send a specially crafted CI configuration to trigger excessive resource consumption and cause a denial of service.

8) Improper Access Control (CVE-ID: CVE-2026-1724)

The vulnerability allows a remote attacker to access API tokens of self-hosted AI models.

The vulnerability exists due to improper access control in the GraphQL query when handling requests. A remote attacker can send a specially crafted GraphQL query to access API tokens of self-hosted AI models.

9) Improper Access Control (CVE-ID: CVE-2026-2745)

The vulnerability allows a remote user to bypass WebAuthn two-factor authentication and gain unauthorized access to user accounts.

The vulnerability exists due to inconsistent input validation in the WebAuthn 2FA authentication process when handling requests. A remote user can send a specially crafted authentication request to bypass two-factor authentication and gain unauthorized access to user accounts.

10) Improper input validation (CVE-ID: CVE-2026-3988)

The vulnerability allows a remote attacker to cause a denial of service by making the GitLab instance unresponsive.

The vulnerability exists due to improper input validation in the GraphQL API when handling requests. A remote attacker can send a specially crafted GraphQL request to trigger excessive resource consumption and cause a denial of service.

11) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-2995)

The vulnerability allows a remote user to add email addresses to targeted user accounts.

The vulnerability exists due to improper sanitization of HTML content in the vulnerability report when rendering content. A remote user can inject malicious HTML content into a vulnerability report, which when viewed by another user, can add email addresses to their account.

12) Cross-Site Request Forgery (CSRF) (CVE-ID: CVE-2026-3857)

The vulnerability allows a remote attacker to execute arbitrary GraphQL mutations on behalf of authenticated users.

The vulnerability exists due to insufficient CSRF protection in the GLQL API when handling requests. A remote attacker can trick an authenticated user into clicking a malicious link to execute arbitrary GraphQL mutations on behalf of the user.

Remediation

Install update from vendor's website.

References

• https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/
• https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/