CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

NCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition

unknownCVE-2025-12506CVE-2026-6352CVE-2026-6896CVE-2026-7492CVE-2026-8472CVE-2026-11827
GitLab has fixed multiple vulnerabilities in GitLab Enterprise Edition (EE) and Community Edition (CE) in versions ranging from 9.1 to before 18.11.7, 19.0 to before 19.0.4, and 19.1 to before 19.1.2. The vulnerabilities include: - Creating repositories with discrepancies between the web interface and the actual downloadable files due to incorrect processing of Git reference names. - Insufficient authorization controls in GraphQL operations allowing users with auditor permissions to modify compliance violation records. - Cross-site scripting (XSS) where users with developer permissions can inject malicious scripts into the browsers of other users due to improper input sanitization. - Unauthorized detection of private projects by unauthorized users via cross-project reference pages. - Bypassing authorization controls allowing users with minimal access rights to view metadata of work items in private projects. - Access to stored credentials of other users by maintainers due to insufficient access restrictions. - Unauthorized modification of group settings due to incorrect authorization controls at the group level. These vulnerabilities allow users with varying access rights to perform actions or view information that should normally be restricted, by bypassing authorization controls or exploiting improper input processing.

CSIRTS triage

vendor: GitLabproduct: GitLab Enterprise Edition and Community EditionCross-site scriptingAuthentication bypassaffected: 9.1 to before 18.11.7, 19.0 to before 19.0.4, 19.1 to before 19.1.2
What
Multiple vulnerabilities include XSS and insufficient authorization controls.
Who is affected
Deployments of GitLab EE and CE in the specified version range are affected.
Urgency
Remediation is important due to the potential for unauthorized access and exploitation.
Action
Update to the latest version of GitLab to mitigate these vulnerabilities.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch GitLab Enterprise Edition and Community Edition

Get an email when a new GitLab Enterprise Edition and Community Edition advisory drops — max one per day, one-click unsubscribe.

Details

Source
NCSC-NL Advisories (NL · national-cert · site)
Severity
unknown
Published
2026-07-10
Exploitation
Not in CISA KEV at last sync
Language
Machine-translated to English — verify against the original

Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0222

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2025-12506coverage & exploitation statusNVD · CVE.org
CVE-2026-6352coverage & exploitation statusNVD · CVE.org
CVE-2026-6896coverage & exploitation statusNVD · CVE.org
CVE-2026-7492coverage & exploitation statusNVD · CVE.org
CVE-2026-8472coverage & exploitation statusNVD · CVE.org
CVE-2026-11827coverage & exploitation statusNVD · CVE.org
CVE-2026-13151coverage & exploitation statusNVD · CVE.org
CVE-2026-13320coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

Recent advisories for GitLab Enterprise Edition

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from NCSC-NL Advisories