CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

NCSC-2026-0211 [1.00] [M/H] Vulnerabilities fixed in GitLab Community Edition and Enterprise Edition

unknownCVE-2026-5796CVE-2026-5952CVE-2026-11379CVE-2026-10712CVE-2026-0934CVE-2026-1606
GitLab Inc. has fixed multiple vulnerabilities in GitLab Enterprise Edition (EE) and other GitLab versions, specifically in releases from version 8.3 to 19.1.1, with emphasis on versions around 18.11.6, 19.0.3, and 19.1.1. The vulnerabilities affect various components of GitLab, including the package management system, DAST site profile management, CI/CD API endpoints, Snippet feature, mirror synchronization, and project issue tracking. Various issues are related to improper authorization controls, insufficient validation of input and output, and improper filtering of sensitive data. This allows users with limited or authenticated rights to, among other things: - access package metadata despite disabled registrations, - bypass security rules for packages and overwrite metadata, - read secrets from DAST site profiles, - perform cross-site scripting (XSS) attacks via insufficient path validation and input sanitization, - access or modify protected environment configurations despite visibility settings, - place hidden or unauthorized content in Snippets, - view sensitive project information without proper rights, - inject client-side code into sessions of other users, - cause sensitive information to appear in logs due to insufficient filtering, - access confidential issue references on public projects without authentication, - access internal network resources via mirror synchronization due to insufficient URL validation, - and modify virtual registry cleanup policies of other groups due to insufficient access control. These vulnerabilities are present in multiple consecutive versions of GitLab and involve both authentication and authorization issues, as well as input and output validation.

CSIRTS triage

What
Multiple vulnerabilities affect various components of GitLab.
Who is affected
Users of GitLab Enterprise Edition and other affected versions.
Urgency
Remediation is important due to the potential for exploitation.
Action
Users should update to the latest version as soon as possible.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch GitLab Enterprise Edition

Get an email when a new GitLab Enterprise Edition advisory drops — max one per day, one-click unsubscribe.

Details

Source
NCSC-NL Advisories (NL · national-cert · site)
Severity
unknown
Published
2026-06-25
Exploitation
Not in CISA KEV at last sync
Language
Machine-translated to English — verify against the original

Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0211

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-5796coverage & exploitation statusNVD · CVE.org
CVE-2026-5952coverage & exploitation statusNVD · CVE.org
CVE-2026-11379coverage & exploitation statusNVD · CVE.org
CVE-2026-10712coverage & exploitation statusNVD · CVE.org
CVE-2026-0934coverage & exploitation statusNVD · CVE.org
CVE-2026-1606coverage & exploitation statusNVD · CVE.org
CVE-2026-3176coverage & exploitation statusNVD · CVE.org
CVE-2026-10086coverage & exploitation statusNVD · CVE.org
CVE-2026-12053coverage & exploitation statusNVD · CVE.org
CVE-2026-8330coverage & exploitation statusNVD · CVE.org
CVE-2026-2238coverage & exploitation statusNVD · CVE.org
CVE-2026-12635coverage & exploitation statusNVD · CVE.org
CVE-2026-5309coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

Recent advisories for GitLab Community Edition

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from NCSC-NL Advisories