—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in GitLab

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 19.1.1, 19.0.3, and 18.11.6.

Overview

Multiple vulnerabilities have been reported in GitLab CE/EE that could allow an attacker to execute arbitrary code, bypass security restrictions and gain unauthorized access to sensitive information on the targeted system.

Target Audience:

Organizations and individuals using GitLab CE/EE instances.

Risk Assessment:

Risk of unauthorized access, information disclosure, privilege escalation.

Impact Assessment:

Potential for unauthorized data access, data manipulation and authentication bypass.

Description

GitLab is a web-based DevOps platform that provides tools for software development, including source code management, continuous integration, and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

These vulnerabilities exist in GitLab Community Edition (CE) and Enterprise Edition (EE) due to improper sanitization of user-supplied input, improper path validation under certain conditions, insufficient output filtering in Duo Workflows, authorization bypass through user-controlled keys, incorrect authorization, insufficient filtering in a CI/CD API endpoint, improper input validation, missing authorization, and improper URL validation.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, bypass security restrictions, and gain unauthorized access to sensitive information on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/

Vendor Information

Gitlab

https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/

References

 

https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/

CVE Name

CVE-2026-10086

CVE-2026-10712

CVE-2026-12053

CVE-2026-5309

CVE-2026-2238

CVE-2026-11379

CVE-2026-8330

CVE-2026-1606

CVE-2026-5952

CVE-2026-5796

CVE-2026-0934

CVE-2026-3176

CVE-2026-12635

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmo9O/kACgkQ3jCgcSdc

ys8vqg//Q98MiSRzHeIavdd1+SBMAPK77v6e4pdMrtxTeRgHmNKVLoxq4PIugzV2

+AATWfZFKHVHUPoxFBBUt7tF/nJpUrT3XMWWtrfDIINonwmVFnv3nzul4++Nd6Xp

tZ7XV9LGCBjRXF5gp468vdoILm1HrO/mnFR2o9dCd2zPZC3KePol1dUpmxUYdq0d

RsjL9ay0rGMX14vEX5tMSExvAX+HZ80zDX0IgglM8ujRpFos53eJk8pkG6vawhpV

qBTLl13Q19W7d4D3U+Cuura3bj93Cdg8GqES/WGwvV1bdGOGz/cnoCrjr6LPMgrh

uFLOYhvZROjQCChmgd3YfzAAOSYXuiLLe5YDnROg7e4OLq4W8qSxmN31WHa3kv1T

74tYlfb69FbR4SfXRz27H2uQ1FEWbRxJT9pU9BwsznI3G6+pO/N2AB7byM0Udu/Y

BUeWKiFDrVX+IHXmHvFdHG+NWe1mkitNNJGaDGfDBWNS2LonoowpOD3fBgDW7bYv

mBPr3WlAXrQTqymCnAGdtUVnRp2kxa0NMVA/ibymU16t52E+7ESG71XdB2DpHMAM

xpDAAJI/mGt71T/MnvMbz58R4YQiMbo+k3/MzlsTCjFLut2MWw/QsFG5VNjZMm/Q

QIkegjxfKBtlZfspItiU0JeqSeIPYOYsu9V9oAdtgW5aHKtKYXY=

=QSoT

—–END PGP SIGNATURE—–