[CIVN-2026-0368] Multiple Vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)

By Published On: July 17, 2026

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256


Multiple Vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE)


Indian – Computer Emergency Response Team (https://www.cert-in.org.in)


Severity Rating: HIGH


Software Affected


GitLab Community Edition (CE) and Enterprise Edition (EE) versions prior to 18.11.7, 19.0.4 and 19.1.2

Overview


Multiple vulnerabilities have been reported in GitLab that could be exploited by an attacker to execute arbitrary scripts, perform Cross-Site Scripting (XSS) attacks, gain unauthorized access to protected resources, and perform unauthorized actions on the targeted system.


Target Audience:

All organizations and individuals using self-managed GitLab installations.


Risk Assessment:

High risk of cross-site scripting, sensitive information disclosure, credential exposure and unauthorized modification of settings or records.


Impact Assessment:

Potential for sensitive data theft, confidential information disclosure, session compromise through Cross-Site Scripting (XSS), unauthorized modification of settings or records, exposure of stored credentials, repository content manipulation, and loss of data integrity.


Description


GitLab is a web-based DevOps platform that provides tools for software development, including source code management, continuous integration and continuous deployment. It is available as Community Edition (CE) and Enterprise Edition (EE).


Multiple vulnerabilities exist in GitLab due to improper sanitization of user-supplied input, insufficient authorization controls, missing access-control checks and improper handling of Git reference name resolution. An attacker could exploit these vulnerabilities by sending specially crafted requests or supplying malicious input to the targeted system.


Successful exploitation of these vulnerabilities could allow an attacker to arbitrary scripts, perform Cross-Site Scripting (XSS) attacks, gain unauthorized access to protected resources, and perform unauthorized actions on the targeted system.


Solution


Apply appropriate updates as mentioned:

https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/



Vendor Information


Gitlab

https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/


References


 

https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/


CVE Name

CVE-2026-6896

CVE-2026-13320

CVE-2026-11827

CVE-2026-8472

CVE-2026-7492

CVE-2025-12506

CVE-2026-13151

CVE-2026-6352




– —


Thanks and Regards,

CERT-In


Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS


Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–


iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmpaLNMACgkQ3jCgcSdc

ys/vHA/9F7t6k0NEEw03PRsorYXOLFPg8IE1y7Z230d6S0TzMvSYA3jxO728JSzV

YbGT+ZMnczoSxnJzOylkVrgNC22okus+8We6mfSl8xPj4htUhw+tHwxsEDfuvUZ7

1pu83iz1fWdTGQIhAKQbqbgWLs7VmG16iG7rybB8XARNxf4CWjcj3TdjUyJCqOzh

dHiTgFOQ6wrJnaawZhXU93wBTxzFSg1aT06yRP/UIfX1dEkjv3XiUl0RgKYoUR92

6KoAfpFBHSjs6Jzclky9aIv7e88FF0c2o0ZldWq6g9DgTYDv0hpYTRafoPHoW4IJ

VmEfVV9tq35gItDRI3N+x6nqvlpq/NO//hqFVmzb20naVpsMk3q1E6/7NxrYAK08

rffWd7XWVaWVi7K0gt+lM5x14XgX7MgtL6Jouknmo4U3V0dTJ49enMXzsb9+n3Hq

zbaK4IjCVxVtfWmv+fVNiHkJOKm3QIHeihKoWrPEO2nI9bAsZ8GU4VM16kA2tzFl

4xoJTBJfTaaFv4EVWVDDdwjit6B4vRP5uBfWk3EZCrlVVZWETzOUoB8V8tga/4d/

a3PeiMgLJfX4PvW8KyqvfZh8JYPo7yPFg4CKyyDDKeYIgz8C1tqMAgBAGZegnAMj

X4MgjcyoMvyWFcv/c2+LK4DX6y7MFV0ORevCNq+k0LRbnGRinZ8=

=yUlE

—–END PGP SIGNATURE—–

Share this article