—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in GitLab

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

GitLab versions prior to 18.9.6, 18.10.4, and 18.11.1 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Overview

Multiple vulnerabilities have been reported in GitLab CE/EE which could allow a remote attacker to cause Denial of Service (DoS), cross-site request forgery, unauthorized access or cross-site scripting on the targeted system.

Target Audience:

Organizations and individuals using GitLab CE/EE instances.

Risk Assessment:

High risk of unauthorized access to sensitive data, disruption of services and compromise of system integrity.

Impact Assessment:

Potential for account takeover, stored cross-site scripting attacks, denial of service (DoS) conditions, bypass security restrictions, or gain access to sensitive information.

Description

GitLab is a web-based DevOps platform that provides tools for software developments, including source code management, continuous integration and continuous deployment. It is available in both open-source Community Edition (CE) and Enterprise Edition (EE) versions.

These vulnerabilities exist in the GitLab Community Edition (CE) and Enterprise Edition (EE) due to insufficient input validation, improper access control, inadequate session management, and lack of resource limitation and CSRF protections.

Successful exploitation of these vulnerabilities could allow a remote attacker to trigger denial of service condition, compromise user accounts, gain unauthorized access to sensitive information and gain elevated privileges on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-1-released/

Vendor Information

GitLab

https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-1-released/

References

 

https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-1-released/

CVE Name

CVE-2026-4922

CVE-2026-5816

CVE-2026-5262

CVE-2026-0186

CVE-2026-1660

CVE-2026-6016

CVE-2026-3922

CVE-2026-6515

CVE-2026-5377

CVE-2026-3254

CVE-2026-9957

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmnvZbIACgkQ3jCgcSdc

ys8NaQ/9GypFXAmFliHtkseCtm9DmdG73fxypLeBC28z8PS+vseRlmDYrnGUnlpK

5//HF+8n+PjcL/e9q9LdHsy1MV57/fRTGRwAjXfnrRk1zQ5u3G2gFu5QEzw9wDI1

/h9KaNGJ+kY0Plv7rkp9MJN2oVOfNVVFoQiW5TXXSTiHhC3ZztpuAiVqLY0CwqUn

cJ/TFnX5bmDdoPvRCTeMZGkFSavxu77BpS77aMkjzJvOnpey+q0rKGY9od3/umET

6vDMxODBY7jUBevMIeCH0xcY6fSszGIddiCbzM3wYqVMgMvL6KsvG/e3BoMKuA6s

0q5qTtZCDB3puXpBHiW20S8Wj3PWkNLJr2i2Da55MjZJGrRJt/3LIa5igKNV89y/

1Eo0/zTcq1K0lHCKatfYo0J4xDW9CWCOEZtlDGIvTPAZ1rTAoZPTs2w4L0lwHHIx

0bm/tbrN8BAfqR0rSebRtvDJW0SGtDtFonjgf2LStenOJwbz6D01f1jeq0Arg4C3

bvr3k6LPOfUMexPawpgPfhWCgS6sOsr8k9x31yEpvlh6skOQhX8LMhIySLZ66/+5

sfc8ZY+Snj83hwJBH0lWN9en9G/3J9BpunbkXaoxFNNCDnvbh64ZieBAisJwttYt

1fnZj+Af+4A8K3jcSev0zAtDUTw79K/LF6BEO71cvECU9WX9wQ4=

=x04m

—–END PGP SIGNATURE—–