CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

NCSC-2026-0196 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition

unknownCVE-2026-10087CVE-2026-10733CVE-2026-1500CVE-2026-3553CVE-2026-6269CVE-2026-6277
GitLab has fixed multiple vulnerabilities in GitLab Community Edition and Enterprise Edition (EE) versions ranging from 12.0 to 19.0.2, including major releases such as 17.x, 18.10.8, 18.11.5, and 19.0.2. The vulnerabilities affect various components of GitLab CE & EE. Authenticated users with developer permissions can execute arbitrary client-side code via the Analytics Dashboard interface due to insufficient sanitization of user input. A denial of service (DoS) can be caused on the CI/CD Catalog page by improper input sanitization, making the page unavailable. A DoS can also occur by uploading specially crafted files that lead to resource exhaustion, which can crash or make the GitLab service unresponsive. Furthermore, authenticated users can gain unauthorized access to confidential issue data due to improper authorization controls. Developer users can modify hidden merge requests due to flawed authorization, and also manipulate merge request diff views by improper handling of file names, which can hide changes during code reviews. Users with the Security Manager role can manage project security settings despite this feature being disabled, due to improper authorization. Within Group SAML identity management, group Owners can take control over other group members due to improper authorization controls. Unauthorized email addresses can be added to accounts via insufficient input sanitization in group settings. During repository import, insufficient validation of secondary URLs can lead to reading arbitrary files on the Gitaly server and access to internal network resources. Finally, an unauthenticated user can impersonate the GitLab Support Bot by injecting arbitrary content into Service Desk email responses, caused by improper handling of email templates.

CSIRTS triage

What
Multiple vulnerabilities allow authenticated users to execute arbitrary code, cause denial of service, and gain unauthorized access to confidential data.
Who is affected
Authenticated users with developer permissions in GitLab CE and EE versions 12.0 to 19.0.2 are affected.
Urgency
Remediation is critical due to the high impact of the vulnerabilities.
Action
Update to the latest version of GitLab.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch GitLab Community Edition and Enterprise Edition

Get an email when a new GitLab Community Edition and Enterprise Edition advisory drops — max one per day, one-click unsubscribe.

Details

Source
NCSC-NL Advisories (NL · national-cert · site)
Severity
unknown
Published
2026-06-12
Exploitation
Not in CISA KEV at last sync
Language
Machine-translated to English — verify against the original

Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0196

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-10087coverage & exploitation statusNVD · CVE.org
CVE-2026-10733coverage & exploitation statusNVD · CVE.org
CVE-2026-1500coverage & exploitation statusNVD · CVE.org
CVE-2026-3553coverage & exploitation statusNVD · CVE.org
CVE-2026-6269coverage & exploitation statusNVD · CVE.org
CVE-2026-6277coverage & exploitation statusNVD · CVE.org
CVE-2026-6552coverage & exploitation statusNVD · CVE.org
CVE-2026-6976coverage & exploitation statusNVD · CVE.org
CVE-2026-7250coverage & exploitation statusNVD · CVE.org
CVE-2026-8589coverage & exploitation statusNVD · CVE.org
CVE-2026-9204coverage & exploitation statusNVD · CVE.org
CVE-2026-9694coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

Recent advisories for GitLab Enterprise Edition

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from NCSC-NL Advisories