SB2026062554 - Multiple vulnerabilities in GitLab Community Edition and Enterprise Edition
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-5796)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to view package metadata from projects with the package registry disabled.
The vulnerability exists due to improper access control in group packages api when handling group packages requests. A remote user can access affected api functionality to view package metadata from projects with the package registry disabled.
The issue is limited to users with Reporter-level group permissions.
2) Path traversal (CVE-ID: CVE-2026-10712)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary JavaScript in a user's browser session.
The vulnerability exists due to improper path validation in web ide workbench asset handler when handling crafted asset requests. A remote attacker can send a specially crafted request to execute arbitrary JavaScript in a user's browser session.
User interaction is required to load the affected content.
3) Information disclosure (CVE-ID: CVE-2026-12053)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information that had already been committed to a project.
The vulnerability exists due to insufficient filtering in duo workflows when processing output. A remote user can access workflow output to disclose sensitive information that had already been committed to a project.
4) Improper access control (CVE-ID: CVE-2026-5309)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to read or modify another group's virtual registry cleanup policy settings.
The vulnerability exists due to improper access control in virtual registry cleanup policy api when handling requests for group policy settings. A remote user can send a crafted request to read or modify another group's virtual registry cleanup policy settings.
5) Incorrect authorization (CVE-ID: CVE-2026-2238)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose confidential issue references on public projects.
The vulnerability exists due to improper authorization in rapid diffs when rendering public project content. A remote attacker can access affected rapid diffs to disclose confidential issue references on public projects.
6) Incorrect authorization (CVE-ID: CVE-2026-11379)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose DAST site profile secrets.
The vulnerability exists due to incorrect authorization in dast scanner and site profile management when managing DAST site profiles. A remote user can access affected profile management functionality to disclose DAST site profile secrets.
The issue affects DAST site profile management.
7) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-8330)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local privileged user to disclose sensitive information in application logs.
The vulnerability exists due to insufficient filtering in ci/cd api endpoint when processing api input. A local privileged user can submit crafted data to disclose sensitive information in application logs.
8) Input validation error (CVE-ID: CVE-2026-1606)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to conceal content within a snippet.
The vulnerability exists due to improper input validation in snippets when processing snippet content. A remote user can submit crafted content to conceal content within a snippet.
9) Incorrect authorization (CVE-ID: CVE-2026-5952)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to overwrite protected Maven package metadata.
The vulnerability exists due to incorrect authorization in maven package registry when enforcing package protection rules. A remote user can bypass package protection rules to overwrite protected Maven package metadata.
10) Cross-site scripting (CVE-ID: CVE-2026-10086)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary client-side code in the context of another user's session.
The vulnerability exists due to improper neutralization of input during web page generation in analytics dashboard when rendering user-supplied input. A remote user can inject crafted content to execute arbitrary client-side code in the context of another user's session.
User interaction is required to load the affected content.
11) Improper access control (CVE-ID: CVE-2026-0934)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.
The vulnerability exists due to improper access control in protected environments api when handling protected environment configuration requests. A remote privileged user can send crafted requests to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.
12) Missing Authorization (CVE-ID: CVE-2026-3176)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access project information.
The vulnerability exists due to missing authorization in security dashboard when handling requests for project information. A remote user can access affected dashboard functionality to access project information.
The issue affects users with limited permissions under certain conditions.
13) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-12635)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to make requests to internal network resources.
The vulnerability exists due to improper url validation in repository mirroring when performing mirror synchronization. A remote user can supply a crafted mirror url to make requests to internal network resources.
The issue is triggered through mirror synchronization.
Remediation
Install update from vendor's website.