SB2026051845 - Multiple vulnerabilities in GitLab CE/EE
Published: May 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-5377)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose titles of confidential or private issues in public projects.
The vulnerability exists due to improper access control in issue description renderer when rendering issue descriptions. A remote user can access rendered issue content to disclose titles of confidential or private issues in public projects.
2) Improper Resolution of Path Equivalence (CVE-ID: CVE-2026-5816)
CWE-ID: CWE-41 - Improper Resolution of Path Equivalence
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary JavaScript in a user's browser session.
The vulnerability exists due to improper resolution of path equivalence in Web IDE asset when processing path validation under certain conditions. A remote attacker can cause a victim to load a crafted asset path to execute arbitrary JavaScript in a user's browser session.
User interaction is required.
3) Cross-site scripting (CVE-ID: CVE-2026-5262)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to access tokens in the Storybook development environment.
The vulnerability exists due to improper input validation in Storybook when rendering content under certain conditions. A remote attacker can supply crafted input to access tokens in the Storybook development environment.
User interaction is required.
4) Resource exhaustion (CVE-ID: CVE-2025-0186)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to resource exhaustion in discussions endpoint when handling crafted requests. A remote user can send crafted requests to cause a denial of service.
5) Input validation error (CVE-ID: CVE-2026-1660)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in Jira import when importing issues. A remote user can submit crafted import data to cause a denial of service.
6) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-6016)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to insufficient resource allocation limits in notes endpoint when retrieving notes under certain conditions. A remote user can send requests to retrieve notes to cause a denial of service.
7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-3922)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to insufficient resource allocation limits in GraphQL API when processing GraphQL requests under certain conditions. A remote user can send crafted requests to cause a denial of service.
8) Insufficient Session Expiration (CVE-ID: CVE-2026-6515)
CWE-ID: CWE-613 - Insufficient Session Expiration
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access Virtual Registries with invalidated or incorrectly scoped credentials.
The vulnerability exists due to insufficient session expiration in virtual registry credentials validation when validating credentials under certain conditions. A remote user can use invalidated or incorrectly scoped credentials to access Virtual Registries with invalidated or incorrectly scoped credentials.
9) Cross-site request forgery (CVE-ID: CVE-2026-4922)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute GraphQL mutations on behalf of authenticated users.
The vulnerability exists due to insufficient CSRF protection in GraphQL API when handling GraphQL mutation requests. A remote attacker can send a specially crafted request to execute GraphQL mutations on behalf of authenticated users.
User interaction is required.
10) Improper Restriction of Rendered UI Layers or Frames (CVE-ID: CVE-2026-3254)
CWE-ID: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to load unauthorized content into another user's browser.
The vulnerability exists due to improper restriction of rendered ui layers or frames in Mermaid sandbox when rendering Mermaid content under certain conditions. A remote user can supply crafted input to load unauthorized content into another user's browser.
User interaction is required.
11) Improper access control (CVE-ID: CVE-2025-9957)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass group fork prevention settings.
The vulnerability exists due to improper access control in project fork relationship API when processing fork relationship requests. A remote privileged user can perform crafted API actions to bypass group fork prevention settings.
Exploitation requires project owner permissions.
Remediation
Install update from vendor's website.