GitLab has released emergency security updates for its Community Edition (CE) and Enterprise Edition (EE), addressing 12 vulnerabilities, including two high-severity flaws rated CVSS 8.7 that could enable account takeover and cross-site scripting (XSS) attacks.
Administrators running self-managed instances are strongly urged to upgrade to GitLab 19.0.2, 18.11.5, or 18.10.8 immediately.
The coordinated patch release targets vulnerabilities spanning a broad range of GitLab features, including Group SAML identity management, Analytics Dashboards, CI/CD Catalog, various APIs, and Gitaly-based repository imports.
The flaws affect numerous GitLab versions, and the three patched releases now represent the minimum recommended baseline for all self-managed deployments.
GitLab Patches Multiple Flaws
Beyond the two critical account compromise vectors, the release resolves denial-of-service (DoS) vulnerabilities, multiple improper access control bugs, server-side request forgery (SSRF), and HTML injection paths all of which could be chained together in complex GitLab environments to amplify their impact.
The most pressing issue is CVE-2026-6552, an improper access control vulnerability in GitLab EE’s Group SAML Identity API.
Under specific conditions, an authenticated user holding the Group Owner role can exploit weaknesses in the SAML identity management workflow to take over another member’s account without requiring that target user’s credentials.
The flaw affects GitLab EE versions from 15.5 through 18.10.8, 18.11.5, and 19.0.2, but not including 18.10.8, 18.11.5, or 19.0.2. It carries a CVSS 3.1 base score of 8.7, reflecting the high potential for unauthorized privilege escalation and lateral movement within GitLab organizations.
The second high-severity issue, CVE-2026-10087, is a stored cross-site scripting bug residing in GitLab EE’s Analytics Dashboard component.
An authenticated attacker with Developer-level permissions can inject malicious client-side scripts due to insufficient input sanitization, causing those scripts to execute in the browser context of any targeted user who views the affected dashboard.
Successful exploitation could lead to session hijacking, privilege escalation, and full account takeover. This bug affects GitLab EE versions from 17.1 to the same fixed patch levels and is also rated CVSS 8.7.
Additional Vulnerabilities Patched
| CVE ID | Issue Type | CVSS Score | Severity |
|---|---|---|---|
| CVE-2026-7250 | Denial of service | 7.5 | High |
| CVE-2026-8589 | HTML injection/account email abuse | 7.3 | High |
| CVE-2026-1500 | Denial of service | 6.5 | Medium |
| CVE-2026-6269 | Improper access control | 5.4 | Medium |
| CVE-2026-9204 | Server-side request forgery (SSRF) | 5.3 | Medium |
| CVE-2026-10733 | HTML injection/denial of service | 4.3 | Medium |
| CVE-2026-6277 | Improper access control | 4.3 | Medium |
| CVE-2026-6976 | Authorization bypass / hidden diffs | 3.7 | Low |
| CVE-2026-3553 | Improper access control/data exposure | 3.1 | Low |
| CVE-2026-9694 | Improper neutralization/impersonation | 2.6 | Low |
The patched releases bundle security fixes alongside stability improvements, including updates to Ruby JWT dependencies, Rails components, Gitaly, and the Container Registry.
GitLab warns that single-node deployments will experience downtime during the upgrade due to required database migrations, while multi-node environments can leverage zero-downtime upgrade procedures.
Security teams should prioritize the following actions:
- Upgrade to GitLab 19.0.2, 18.11.5, or 18.10.8 as soon as possible
- Review audit logs for suspicious activity in Group SAML, Analytics Dashboard, and API components
- Rotate sensitive credentials and tokens if exploitation is suspected
- Monitor privileged accounts, particularly Group Owners, for anomalous behavior
No Comment! Be the first one.