CVE-2026-6896
GitLab · GitLab EE
GitLab EE is vulnerable to a stored Cross-Site Scripting (XSS) attack, allowing authenticated users to inject malicious scripts into web pages viewed by other users.
Executive summary
A stored Cross-Site Scripting vulnerability in GitLab EE allows authenticated attackers to execute malicious scripts in the context of other users' browser sessions.
Vulnerability
The application fails to properly neutralize user-supplied input (CWE-79), resulting in an XSS vulnerability. An authenticated attacker can exploit this to execute arbitrary JavaScript in the victim's browser.
Business impact
With a CVSS score of 8.7, this vulnerability poses a severe threat to session security and data integrity. An attacker could hijack user sessions, steal session tokens, or perform actions on behalf of authenticated users, including high-privilege accounts, potentially leading to unauthorized repository access.
Remediation
Immediate Action: Upgrade GitLab EE to versions 18.11.7, 19.0.4, 19.1.2, or higher as specified by the vendor.
Proactive Monitoring: Review audit logs for suspicious activity or anomalous script injections within merge requests or issue comments.
Compensating Controls: Enforce strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, mitigating the impact of XSS.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The risk of session hijacking via XSS is significant for development environments. Security teams should deploy the provided patches immediately to protect user accounts and the integrity of the GitLab instance.