NCSC-2026-0196 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition
GitLab has fixed multiple vulnerabilities in GitLab Community Edition and Enterprise Edition (EE) versions ranging from 12.0 to 19.0.2, including major releases such as 17.x, 18.10.8, 18.11.5, and 19.0.2. The vulnerabilities affect various components of GitLab CE & EE. Authenticated users with developer permissions can execute arbitrary client-side code via the Analytics Dashboard interface due to insufficient sanitization of user input. A denial of service (DoS) can be caused on the CI/CD Catalog page by improper input sanitization, making the page unavailable. A DoS can also occur by uploading specially crafted files that lead to resource exhaustion, which can crash or make the GitLab service unresponsive. Furthermore, authenticated users can gain unauthorized access to confidential issue data due to improper authorization controls. Developer users can modify hidden merge requests due to flawed authorization, and also manipulate merge request diff views by improper handling of file names, which can hide changes during code reviews. Users with the Security Manager role can manage project security settings despite this feature being disabled, due to improper authorization. Within Group SAML identity management, group Owners can take control over other group members due to improper authorization controls. Unauthorized email addresses can be added to accounts via insufficient input sanitization in group settings. During repository import, insufficient validation of secondary URLs can lead to reading arbitrary files on the Gitaly server and access to internal network resources. Finally, an unauthenticated user can impersonate the GitLab Support Bot by injecting arbitrary content into Service Desk email responses, caused by improper handling of email templates.
CSIRTS triage
- What
- Multiple vulnerabilities allow authenticated users to execute arbitrary code, cause denial of service, and gain unauthorized access to confidential data.
- Who is affected
- Authenticated users with developer permissions in GitLab CE and EE versions 12.0 to 19.0.2 are affected.
- Urgency
- Remediation is critical due to the high impact of the vulnerabilities.
- Action
- Update to the latest version of GitLab.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch GitLab Community Edition and Enterprise Edition
Get an email when a new GitLab Community Edition and Enterprise Edition advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0196
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-100870.25% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 16% of all scored CVEs.
- Low exploitation riskCVE-2026-107330.22% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 12% of all scored CVEs.
- Low exploitation riskCVE-2026-15000.32% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 24% of all scored CVEs.
- Low exploitation riskCVE-2026-35530.24% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 14% of all scored CVEs.
- Low exploitation riskCVE-2026-62690.19% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 8% of all scored CVEs.
- Low exploitation riskCVE-2026-62770.18% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 8% of all scored CVEs.
- Low exploitation riskCVE-2026-65520.28% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 20% of all scored CVEs.
- Low exploitation riskCVE-2026-69760.16% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 5% of all scored CVEs.
- Low exploitation riskCVE-2026-72500.37% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 29% of all scored CVEs.
- Low exploitation riskCVE-2026-85890.26% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 17% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-10087 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-10733 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-1500 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-3553 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-6269 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-6277 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-6552 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-6976 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-7250 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-8589 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-9204 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-9694 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- criticalGitLab Patch Release: 19.0.2, 18.11.5, 18.10.8gitlab
Recent advisories for GitLab Enterprise Edition
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Editionncsc-nl · 2026-07-10
- unknownNCSC-2026-0211 [1.00] [M/H] Vulnerabilities fixed in GitLab Community Edition and Enterprise Editionncsc-nl · 2026-06-25
- criticalexploitedCVE-2021-39935: GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerabilitycisa-kev · 2026-02-03
- criticalexploitedCVE-2023-7028: GitLab Community and Enterprise Editions Improper Access Control Vulnerabilitycisa-kev · 2024-05-01
- criticalexploitedCVE-2021-22205: GitLab Community and Enterprise Editions Remote Code Execution Vulnerabilitycisa-kev · 2021-11-03
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server2026-07-03