NCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition
GitLab has fixed multiple vulnerabilities in GitLab Enterprise Edition (EE) and Community Edition (CE) in versions ranging from 9.1 to before 18.11.7, 19.0 to before 19.0.4, and 19.1 to before 19.1.2. The vulnerabilities include: - Creating repositories with discrepancies between the web interface and the actual downloadable files due to incorrect processing of Git reference names. - Insufficient authorization controls in GraphQL operations allowing users with auditor permissions to modify compliance violation records. - Cross-site scripting (XSS) where users with developer permissions can inject malicious scripts into the browsers of other users due to improper input sanitization. - Unauthorized detection of private projects by unauthorized users via cross-project reference pages. - Bypassing authorization controls allowing users with minimal access rights to view metadata of work items in private projects. - Access to stored credentials of other users by maintainers due to insufficient access restrictions. - Unauthorized modification of group settings due to incorrect authorization controls at the group level. These vulnerabilities allow users with varying access rights to perform actions or view information that should normally be restricted, by bypassing authorization controls or exploiting improper input processing.
CSIRTS triage
- What
- Multiple vulnerabilities include XSS and insufficient authorization controls.
- Who is affected
- Deployments of GitLab EE and CE in the specified version range are affected.
- Urgency
- Remediation is important due to the potential for unauthorized access and exploitation.
- Action
- Update to the latest version of GitLab to mitigate these vulnerabilities.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch GitLab Enterprise Edition and Community Edition
Get an email when a new GitLab Enterprise Edition and Community Edition advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0222
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2025-125060.19% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 8% of all scored CVEs.
- Low exploitation riskCVE-2026-63520.26% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 18% of all scored CVEs.
- Low exploitation riskCVE-2026-68960.28% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 20% of all scored CVEs.
- Low exploitation riskCVE-2026-74920.25% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 17% of all scored CVEs.
- Low exploitation riskCVE-2026-84720.24% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 15% of all scored CVEs.
- Low exploitation riskCVE-2026-118270.26% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 17% of all scored CVEs.
- Low exploitation riskCVE-2026-131510.16% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 6% of all scored CVEs.
- Low exploitation riskCVE-2026-133200.24% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 15% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2025-12506 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-6352 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-6896 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-7492 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-8472 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-11827 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-13151 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-13320 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- high[NEW] [high] GitLab: Multiple vulnerabilitiescert-bund
- unknownMultiple vulnerabilities in GitLab (July 09, 2026)cert-fr-avis
- mediumCVE-2026-8472: GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19…nvd
- mediumCVE-2026-7492: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, …nvd
- highCVE-2026-6896: GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 before 18.11.7, 1…nvd
- lowCVE-2026-6352: GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19…nvd
- highCVE-2026-13320: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.7 before 18.11.7…nvd
- lowCVE-2026-13151: GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.11.7, …nvd
- mediumCVE-2026-11827: GitLab has remediated an issue in GitLab EE affecting all versions from 9.5 before 18.11.7, 19…nvd
- lowCVE-2025-12506: GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7…nvd
- criticalGitLab Patch Release: 19.1.2, 19.0.4, 18.11.7gitlab
Recent advisories for GitLab Enterprise Edition
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownNCSC-2026-0211 [1.00] [M/H] Vulnerabilities fixed in GitLab Community Edition and Enterprise Editionncsc-nl · 2026-06-25
- unknownNCSC-2026-0196 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Editionncsc-nl · 2026-06-12
- criticalexploitedCVE-2021-39935: GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerabilitycisa-kev · 2026-02-03
- criticalexploitedCVE-2023-7028: GitLab Community and Enterprise Editions Improper Access Control Vulnerabilitycisa-kev · 2024-05-01
- criticalexploitedCVE-2021-22205: GitLab Community and Enterprise Editions Remote Code Execution Vulnerabilitycisa-kev · 2021-11-03
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server2026-07-03
- unknownNCSC-2026-0218 [1.00] [M/H] Vulnerability fixed in Cisco Catalyst Center2026-07-02