SB2026051863 - Multiple vulnerabilities in GitLab CE/EE
Published: May 18, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 25 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-3607)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass package protection rules.
The vulnerability exists due to improper access control in Helm package upload when handling package uploads. A remote user can upload a restricted package to bypass package protection rules.
2) Cross-site scripting (CVE-ID: CVE-2026-6335)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code in another user's browser session.
The vulnerability exists due to improper sanitization in Banzai markdown sanitizer when rendering crafted markdown content. A remote user can inject crafted script content to execute arbitrary code in another user's browser session.
User interaction is required to view the crafted content.
3) Improper Authorization (CVE-ID: CVE-2026-6883)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass merge request approval requirements.
The vulnerability exists due to improper cleanup of orphaned policy records in Security Policy Project Reassignment when reassigning security policy projects. A remote user can trigger the affected reassignment state to bypass merge request approval requirements.
User interaction is required.
4) Missing Authorization (CVE-ID: CVE-2026-2900)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify or delete project approval rules.
The vulnerability exists due to missing authorization checks in GraphQL approval rule mutations when instance-level approval rule editing prevention is enabled. A remote privileged user can modify or delete project approval rules to modify or delete project approval rules.
The issue occurs only when instance-level approval rule editing prevention is enabled.
5) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-7471)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to make requests to internal hosts.
The vulnerability exists due to improper validation in virtual registry redirect handler when processing redirects from a controlled virtual registry upstream. A remote user can control a virtual registry upstream to make requests to internal hosts.
Exploitation requires control of a virtual registry upstream.
6) Improper access control (CVE-ID: CVE-2025-13874)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to view issues in projects they are not authorized to access.
The vulnerability exists due to improper access control in issue links API when handling issue link requests. A remote user can request linked issue data to view issues in projects they are not authorized to access.
Guest permissions are sufficient.
7) Improper Authorization (CVE-ID: CVE-2026-3073)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass PyPI package protection rules and upload restricted packages.
The vulnerability exists due to improper authorization checks in PyPI Package Protection Rules when handling package uploads. A remote user can upload restricted packages to bypass PyPI package protection rules and upload restricted packages.
8) Improper access control (CVE-ID: CVE-2026-6063)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to remove code owner approval rules from merge requests.
The vulnerability exists due to improper access control in code owner approval rules when handling merge request approval rule changes. A remote user can remove code owner approval rules to remove code owner approval rules from merge requests.
The issue occurs under certain conditions.
9) Missing Authorization (CVE-ID: CVE-2026-8144)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to enumerate private group members.
The vulnerability exists due to missing authorization checks in group user search when performing user searches. A remote user can search group users to enumerate private group members.
Project membership is required.
10) Improper Authorization (CVE-ID: CVE-2026-1338)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete protected container registry tags.
The vulnerability exists due to improper authorization checks in container registry protected tags when handling tag deletion requests. A remote user can delete protected tags to delete protected container registry tags.
11) Improper access control (CVE-ID: CVE-2026-3074)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to download private debugging symbols from inaccessible projects.
The vulnerability exists due to improper access control in NuGet Symbol Server when handling symbol download requests. A remote user can request private debugging symbols to download private debugging symbols from inaccessible projects.
12) Cross-site scripting (CVE-ID: CVE-2026-7481)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' browsers.
The vulnerability exists due to improper input sanitization in analytics dashboard chart rendering when rendering crafted analytics dashboard content. A remote user can inject crafted script content to execute arbitrary JavaScript in other users' browsers.
User interaction is required to view the crafted content.
13) Cross-site scripting (CVE-ID: CVE-2025-12669)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject HTML and JavaScript into email notifications sent to other users.
The vulnerability exists due to improper input sanitization in achievement email notifications when generating notification content. A remote user can inject crafted HTML and JavaScript to inject HTML and JavaScript into email notifications sent to other users.
User interaction is required to open the email notification.
14) Improper Authorization (CVE-ID: CVE-2026-3160)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose Jira issues outside the configured project scope.
The vulnerability exists due to improper access control in Jira integration when enforcing project scope filters. A remote attacker can access Jira issues outside the configured project scope to disclose Jira issues outside the configured project scope.
The integration filter functions only as a display control rather than an enforced access boundary.
15) Cross-site request forgery (CVE-ID: CVE-2026-4527)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to create unauthorized Jira subscriptions for a targeted user's namespace.
The vulnerability exists due to missing CSRF protection in JiraConnect subscriptions when a targeted user follows a specially crafted link. A remote attacker can send a specially crafted link to create unauthorized Jira subscriptions for a targeted user's namespace.
User interaction is required to follow the crafted link.
16) Input validation error (CVE-ID: CVE-2026-8280)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in direct transfer CSV parser when parsing crafted CSV input. A remote user can supply crafted CSV input to cause a denial of service.
The denial of service occurs through excessive memory consumption.
17) Improper Authorization (CVE-ID: CVE-2026-4524)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose confidential issue content in public projects.
The vulnerability exists due to improper authorization checks in Issues API when handling requests for confidential issues. A remote user can access confidential issue content to disclose confidential issue content in public projects.
18) Input validation error (CVE-ID: CVE-2026-1184)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper validation in Insights Configuration when uploading a specially crafted file. A remote user can upload a specially crafted file to cause a denial of service.
19) Improper Authorization (CVE-ID: CVE-2026-1322)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to create issues and add comments to issues in private projects.
The vulnerability exists due to improper authorization in GraphQL token scope enforcement when processing requests from a read_api scoped OAuth application. A remote user can use a read_api scoped OAuth application to create issues and add comments to issues in private projects.
20) Input validation error (CVE-ID: CVE-2025-14869)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input handling in internal API endpoints when processing specially crafted payloads. A remote attacker can send specially crafted payloads to cause a denial of service.
The issue affects certain API endpoints.
21) Input validation error (CVE-ID: CVE-2025-14870)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to insufficient input validation in Duo Workflows API when processing specially crafted JSON payloads. A remote attacker can send specially crafted JSON payloads to cause a denial of service.
22) Input validation error (CVE-ID: CVE-2026-1659)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to insufficient input validation in CI/CD job update API when handling specially crafted requests. A remote attacker can send specially crafted requests to cause a denial of service.
23) Cross-site scripting (CVE-ID: CVE-2026-7377)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' browsers.
The vulnerability exists due to improper input sanitization in customizable analytics dashboards when rendering dashboard content. A remote user can inject crafted script content to execute arbitrary JavaScript in other users' browsers.
User interaction is required to view the crafted content.
24) Cross-site scripting (CVE-ID: CVE-2026-6073)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' browsers.
The vulnerability exists due to improper input sanitization in Duo Agent output rendering when rendering agent output. A remote user can inject crafted script content to execute arbitrary JavaScript in other users' browsers.
User interaction is required to view the crafted content.
25) Cross-site scripting (CVE-ID: CVE-2026-5297)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in other users' browsers.
The vulnerability exists due to improper input sanitization in global search when rendering search results. A remote user can inject crafted script content to execute arbitrary JavaScript in other users' browsers.
User interaction is required to view the crafted content.
Remediation
Install update from vendor's website.