SB2026061168 - Multiple vulnerabilities in GitLab Community Edition and Enterprise Edition

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026061168

SB2026061168 - Multiple vulnerabilities in GitLab Community Edition and Enterprise Edition

Published: June 11, 2026 Updated: June 12, 2026

Security Bulletin ID SB2026061168
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 8% Low 92%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-6277)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to manage project security configuration when the feature is disabled.

The vulnerability exists due to improper access control in Security Inventory when handling project security configuration actions. A remote user can perform unauthorized management actions to manage project security configuration when the feature is disabled.

The issue affects users with Security Manager-role permissions.


2) Cross-site scripting (CVE-ID: CVE-2026-10087)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary client-side code on behalf of a targeted user.

The vulnerability exists due to cross-site scripting in the Analytics Dashboard when rendering user-supplied input. A remote user can inject crafted content to execute arbitrary client-side code on behalf of a targeted user.

User interaction is required.


3) Input validation error (CVE-ID: CVE-2026-7250)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the API request parsing middleware when parsing JSON requests. A remote attacker can send a specially crafted request to cause a denial of service.


4) Cross-site scripting (CVE-ID: CVE-2026-8589)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to add unauthorized email addresses to a targeted user's account.

The vulnerability exists due to improper neutralization of input during web page generation in certain group setting fields when processing user-supplied input. A remote privileged user can inject crafted input to add unauthorized email addresses to a targeted user's account.

User interaction is required.


5) Resource exhaustion (CVE-ID: CVE-2026-1500)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the Group Placeholder Reassignments API when processing a specially crafted file upload. A remote user can upload a specially crafted file to cause a denial of service.


6) Improper access control (CVE-ID: CVE-2026-6269)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify hidden merge requests.

The vulnerability exists due to improper access control in the Merge Requests API when handling requests to hidden merge requests. A remote user can send crafted API requests to modify hidden merge requests.

The issue affects users with developer-role permissions.


7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-9204)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to server-side request forgery in Gitaly repository import when validating secondary URLs during repository import. A remote user can supply crafted secondary URLs to disclose sensitive information.

The issue may allow reading arbitrary files from the Gitaly server and accessing internal network resources during repository import.


8) Cross-site scripting (CVE-ID: CVE-2026-10733)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper neutralization of input during web page generation in the CI/CD Catalog page when processing user-supplied input. A remote user can inject crafted content to cause a denial of service.


9) Improper access control (CVE-ID: CVE-2026-6552)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to take over another user's GitLab account.

The vulnerability exists due to improper access control in group SAML identity management functionality when managing group SAML identities through the Group SAML Identity API. A remote privileged user can exploit authorization flaws to take over another user's GitLab account.

The issue occurs under certain conditions and affects users with the group Owner role.


10) Input validation error (CVE-ID: CVE-2026-6976)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to hide changes from merge request diff views.

The vulnerability exists due to improper input validation in merge request diff when processing file names. A remote user can use crafted file names to hide changes from merge request diff views.

User interaction is required.


11) Improper access control (CVE-ID: CVE-2026-3553)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose confidential issue details.

The vulnerability exists due to improper access control in the Todos API when handling requests for confidential issue data. A remote user can send crafted API requests to disclose confidential issue details.


12) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-9694)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary content while impersonating the GitLab Support Bot.

The vulnerability exists due to improper neutralization in Service Desk email template processing when handling a specially crafted Service Desk email reply. A remote user can send a specially crafted email reply to inject arbitrary content while impersonating the GitLab Support Bot.

User interaction is required.


Remediation

Install update from vendor's website.

References