CVE-2026-6896

GitLab · GitLab EE

GitLab EE is vulnerable to a stored Cross-Site Scripting (XSS) attack, allowing authenticated users to inject malicious scripts into web pages viewed by other users.

Executive summary

A stored Cross-Site Scripting vulnerability in GitLab EE allows authenticated attackers to execute malicious scripts in the context of other users' browser sessions.

Vulnerability

The application fails to properly neutralize user-supplied input (CWE-79), resulting in an XSS vulnerability. An authenticated attacker can exploit this to execute arbitrary JavaScript in the victim's browser.

Business impact

With a CVSS score of 8.7, this vulnerability poses a severe threat to session security and data integrity. An attacker could hijack user sessions, steal session tokens, or perform actions on behalf of authenticated users, including high-privilege accounts, potentially leading to unauthorized repository access.

Remediation

Immediate Action: Upgrade GitLab EE to versions 18.11.7, 19.0.4, 19.1.2, or higher as specified by the vendor.

Proactive Monitoring: Review audit logs for suspicious activity or anomalous script injections within merge requests or issue comments.

Compensating Controls: Enforce strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, mitigating the impact of XSS.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The risk of session hijacking via XSS is significant for development environments. Security teams should deploy the provided patches immediately to protect user accounts and the integrity of the GitLab instance.