
[CIVN-2026-0368] Multiple Vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
Multiple Vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)
Indian – Computer Emergency Response Team (https://www.cert-in.org.in)
Severity Rating: HIGH
Software Affected
GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 18.11.7, 19.0.4 and 19.1.2
Overview
Multiple vulnerabilities have been reported in GitLab that could be exploited by an attacker to execute arbitrary scripts, perform Cross-Site Scripting (XSS) attacks, gain unauthorized access to protected resources, and perform unauthorized actions on the targeted system.
Target Audience:
All organizations and individuals using self-managed GitLab installations.
Risk Assessment:
High risk of cross-site scripting, sensitive information disclosure, credential exposure and unauthorized modification of settings or records.
Impact Assessment:
Potential for sensitive data theft, confidential information disclosure, session compromise through Cross-Site Scripting (XSS), unauthorized modification of settings or records, exposure of stored credentials, repository content manipulation, and loss of data integrity.
Description
GitLab is a web-based DevOps platform that provides tools for software development, including source code management, continuous integration and continuous deployment. It is available as Community Edition (CE) and Enterprise Edition (EE).
Multiple vulnerabilities exist in GitLab due to improper sanitization of user-supplied input, insufficient authorization controls, missing access-control checks and improper handling of Git reference name resolution. An attacker could exploit these vulnerabilities by sending specially crafted requests or supplying malicious input to the targeted system.
Successful exploitation of these vulnerabilities could allow an attacker to arbitrary scripts, perform Cross-Site Scripting (XSS) attacks, gain unauthorized access to protected resources, and perform unauthorized actions on the targeted system.
Solution
Apply appropriate updates as mentioned:
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/
Vendor Information
Gitlab
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/
References
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/
CVE Name
CVE-2026-6896
CVE-2026-13320
CVE-2026-11827
CVE-2026-8472
CVE-2026-7492
CVE-2025-12506
CVE-2026-13151
CVE-2026-6352
– —
Thanks and Regards,
CERT-In
Incident Response Help Desk
e-mail: incident@cert-in.org.in
Phone: +91-11-22902657
Toll Free Number: 1800-11-4949
Toll Free Fax : 1800-11-6969
Web: http://www.cert-in.org.in
PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4
PGP Key information:
https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmpaLNMACgkQ3jCgcSdc
ys/vHA/9F7t6k0NEEw03PRsorYXOLFPg8IE1y7Z230d6S0TzMvSYA3jxO728JSzV
YbGT+ZMnczoSxnJzOylkVrgNC22okus+8We6mfSl8xPj4htUhw+tHwxsEDfuvUZ7
1pu83iz1fWdTGQIhAKQbqbgWLs7VmG16iG7rybB8XARNxf4CWjcj3TdjUyJCqOzh
dHiTgFOQ6wrJnaawZhXU93wBTxzFSg1aT06yRP/UIfX1dEkjv3XiUl0RgKYoUR92
6KoAfpFBHSjs6Jzclky9aIv7e88FF0c2o0ZldWq6g9DgTYDv0hpYTRafoPHoW4IJ
VmEfVV9tq35gItDRI3N+x6nqvlpq/NO//hqFVmzb20naVpsMk3q1E6/7NxrYAK08
rffWd7XWVaWVi7K0gt+lM5x14XgX7MgtL6Jouknmo4U3V0dTJ49enMXzsb9+n3Hq
zbaK4IjCVxVtfWmv+fVNiHkJOKm3QIHeihKoWrPEO2nI9bAsZ8GU4VM16kA2tzFl
4xoJTBJfTaaFv4EVWVDDdwjit6B4vRP5uBfWk3EZCrlVVZWETzOUoB8V8tga/4d/
a3PeiMgLJfX4PvW8KyqvfZh8JYPo7yPFg4CKyyDDKeYIgz8C1tqMAgBAGZegnAMj
X4MgjcyoMvyWFcv/c2+LK4DX6y7MFV0ORevCNq+k0LRbnGRinZ8=
=yUlE
—–END PGP SIGNATURE—–


