NCSC-2026-0211 [1.00] [M/H] Vulnerabilities fixed in GitLab Community Edition and Enterprise Edition
GitLab Inc. has fixed multiple vulnerabilities in GitLab Enterprise Edition (EE) and other GitLab versions, specifically in releases from version 8.3 to 19.1.1, with emphasis on versions around 18.11.6, 19.0.3, and 19.1.1. The vulnerabilities affect various components of GitLab, including the package management system, DAST site profile management, CI/CD API endpoints, Snippet feature, mirror synchronization, and project issue tracking. Various issues are related to improper authorization controls, insufficient validation of input and output, and improper filtering of sensitive data. This allows users with limited or authenticated rights to, among other things: - access package metadata despite disabled registrations, - bypass security rules for packages and overwrite metadata, - read secrets from DAST site profiles, - perform cross-site scripting (XSS) attacks via insufficient path validation and input sanitization, - access or modify protected environment configurations despite visibility settings, - place hidden or unauthorized content in Snippets, - view sensitive project information without proper rights, - inject client-side code into sessions of other users, - cause sensitive information to appear in logs due to insufficient filtering, - access confidential issue references on public projects without authentication, - access internal network resources via mirror synchronization due to insufficient URL validation, - and modify virtual registry cleanup policies of other groups due to insufficient access control. These vulnerabilities are present in multiple consecutive versions of GitLab and involve both authentication and authorization issues, as well as input and output validation.
CSIRTS triage
- What
- Multiple vulnerabilities affect various components of GitLab.
- Who is affected
- Users of GitLab Enterprise Edition and other affected versions.
- Urgency
- Remediation is important due to the potential for exploitation.
- Action
- Users should update to the latest version as soon as possible.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch GitLab Enterprise Edition
Get an email when a new GitLab Enterprise Edition advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0211
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-57960.19% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 9% of all scored CVEs.
- Low exploitation riskCVE-2026-59520.19% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 9% of all scored CVEs.
- Low exploitation riskCVE-2026-113790.19% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 9% of all scored CVEs.
- Low exploitation riskCVE-2026-107120.22% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 13% of all scored CVEs.
- Low exploitation riskCVE-2026-09340.20% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 10% of all scored CVEs.
- Low exploitation riskCVE-2026-16060.22% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 13% of all scored CVEs.
- Low exploitation riskCVE-2026-31760.18% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 8% of all scored CVEs.
- Low exploitation riskCVE-2026-100860.23% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 14% of all scored CVEs.
- Low exploitation riskCVE-2026-120530.33% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 25% of all scored CVEs.
- Low exploitation riskCVE-2026-83300.13% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 3% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-5796 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-5952 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-11379 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-10712 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-0934 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-1606 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-3176 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-10086 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-12053 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-8330 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-2238 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-12635 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-5309 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- unknownGitLab Multiple Vulnerabilitieshkcert
- unknownMultiple vulnerabilities in GitLab (June 25, 2026)cert-fr-avis
- criticalGitLab Patch Release: 19.1.1, 19.0.3, 18.11.6gitlab
Recent advisories for GitLab Community Edition
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Editionncsc-nl · 2026-07-10
- criticalexploitedCVE-2021-39935: GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerabilitycisa-kev · 2026-02-03
- criticalexploitedCVE-2023-7028: GitLab Community and Enterprise Editions Improper Access Control Vulnerabilitycisa-kev · 2024-05-01
- criticalexploitedCVE-2021-22205: GitLab Community and Enterprise Editions Remote Code Execution Vulnerabilitycisa-kev · 2021-11-03
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server2026-07-03