SB2026070844 - Multiple vulnerabilities in GitLab CE/EE
Published: July 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-6896)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary scripts in another user's browser session.
The vulnerability exists due to improper sanitization of user-supplied input in the vulnerability evidence table renderer when rendering user-supplied content. A remote user can inject specially crafted input to execute arbitrary scripts in another user's browser session.
User interaction is required for the victim to view the rendered content.
2) Cross-site scripting (CVE-ID: CVE-2026-13320)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary scripts in another user's browser session.
The vulnerability exists due to improper sanitization of user-supplied input in wiki markup rendering when rendering user-supplied wiki content. A remote privileged user can inject specially crafted markup to execute arbitrary scripts in another user's browser session.
User interaction is required for the victim to view the rendered content.
3) Improper Authorization (CVE-ID: CVE-2026-11827)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose stored credentials.
The vulnerability exists due to improper authorization controls in repository mirroring when accessing stored credentials. A remote privileged user can access another user's stored credentials to disclose stored credentials.
4) Missing Authorization (CVE-ID: CVE-2026-8472)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose work item metadata from private projects.
The vulnerability exists due to missing authorization checks in work items when accessing work item metadata. A remote user can request private project work item metadata to disclose work item metadata from private projects.
5) Improper Authorization (CVE-ID: CVE-2026-7492)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to determine the existence of a private project.
The vulnerability exists due to improper authorization controls in commit discussion display when accessing cross-project reference pages. A remote user can access crafted cross-project reference pages to determine the existence of a private project.
The advisory text describes the actor as unauthenticated, but the attacker label follows the provided CVSS vector.
6) Interpretation Conflict (CVE-ID: CVE-2025-12506)
CWE-ID: CWE-436 - Interpretation Conflict
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause the web interface to display content that differs from the content available for download.
The vulnerability exists due to improper handling of Git reference name resolution in tag or branch reference handling when resolving Git reference names. A remote user can create a repository with ambiguous references to cause the web interface to display content that differs from the content available for download.
User interaction is required to rely on the web interface content.
7) Improper Authorization (CVE-ID: CVE-2026-13151)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify group-level settings beyond their intended permissions.
The vulnerability exists due to improper authorization controls in group-level settings when handling modification requests. A remote privileged user can send crafted modification requests to modify group-level settings beyond their intended permissions.
8) Improper Authorization (CVE-ID: CVE-2026-6352)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify compliance violation records.
The vulnerability exists due to improper authorization in certain GraphQL operations in compliance violation management when handling GraphQL requests. A remote privileged user can send crafted GraphQL requests to modify compliance violation records.
Remediation
Install update from vendor's website.