SB2026040951 - Multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)
Published: April 9, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 12 secuirty vulnerabilities.
1) Exposed dangerous method or function (CVE-ID: CVE-2026-5173)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the exposure of a dangerous function in websocket connections. A remote user can invoke unintended server-side methods.
2) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-1092)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Terraform state lock API. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
3) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2025-12664)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in GraphQL API. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
4) Input validation error (CVE-ID: CVE-2026-1403)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of CSV file structure. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
5) Improper Validation of Specified Quantity in Input (CVE-ID: CVE-2026-1101)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in GraphQL SBOM API. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
6) Code Injection (CVE-ID: CVE-2026-1516)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in Code Quality reports. A remote user can leak IP addresses of users viewing the report and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Cross-site scripting (CVE-ID: CVE-2026-4332)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in analytics dashboards. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
8) Incorrect authorization (CVE-ID: CVE-2026-2619)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to incorrect authorization in vulnerability flags AI detection API. A remote user can modify vulnerability flag data in private projects.
9) Missing Authorization (CVE-ID: CVE-2025-9484)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to incorrect authorization in certain GraphQl query. A remote user can gain access to other users' email addresses.
10) Incorrect authorization (CVE-ID: CVE-2026-1752)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to incorrect authorization in Environments API. A remote user can modify protected environment settings.
11) Incorrect authorization (CVE-ID: CVE-2026-2104)
The vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to incorrect authorization in CSV export. A remote user can access confidential issues assigned to other users.
12) Missing Authorization (CVE-ID: CVE-2026-4916)
The vulnerability allows a remote user to bypass authorization process.
The vulnerability exists due to incorrect authorization in custom role permissions. A remote administrator can demote or remove higher-privileged group members.
Remediation
Install update from vendor's website.