CVE-2026-10086 Overview
CVE-2026-10086 is a stored cross-site scripting (XSS) vulnerability [CWE-79] in GitLab Enterprise Edition (EE). The flaw affects all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. An authenticated user holding developer-role permissions can inject client-side code that executes in another user's browser session. The root cause is improper sanitization of user-supplied input rendered by the GitLab EE web interface.
Critical Impact
Authenticated developers can execute arbitrary JavaScript in a victim's session, enabling session compromise, data theft, and impersonation of higher-privileged users such as maintainers or administrators.
Affected Products
- GitLab EE versions 16.4 through 18.11.5
- GitLab EE versions 19.0 through 19.0.2
- GitLab EE versions 19.1 (prior to 19.1.1)
Discovery Timeline
- 2026-06-25 - CVE-2026-10086 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-10086
Vulnerability Analysis
The vulnerability is a stored XSS issue in GitLab EE. GitLab fails to properly sanitize user-supplied input before rendering it in the web UI. An authenticated attacker with developer-role permissions submits crafted input through a feature available to that role. When another user later views the affected resource, the injected script executes inside that user's browser context.
Because the CVSS scope is changed, the executed script can affect resources beyond the vulnerable component, including authenticated sessions for projects and groups the victim has access to. The attack requires user interaction, meaning the victim must view the malicious content. Confidentiality and integrity impact are both rated high, while availability is unaffected.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. GitLab EE rendered developer-supplied content without applying sufficient HTML or JavaScript encoding. The flaw exists in user-facing fields accessible to accounts at the developer permission level, allowing the payload to be stored server-side and replayed to subsequent viewers.
Attack Vector
The attack vector is network-based and requires low privileges plus victim interaction. An attacker authenticates to GitLab with developer-role access on a target project. The attacker submits a payload containing JavaScript through an input field that bypasses sanitization. When a victim with an active session loads the page, the payload executes and can exfiltrate cookies, perform CSRF-style API calls, or alter rendered content.
No verified public proof-of-concept code is available. Technical details are tracked in the HackerOne Report #3734800 and the GitLab Work Item Overview.
Detection Methods for CVE-2026-10086
Indicators of Compromise
- Unexpected <script> tags, event handler attributes (onerror, onload), or javascript: URIs stored in GitLab project descriptions, issue bodies, merge request fields, or wiki pages
- Outbound requests from authenticated GitLab sessions to attacker-controlled domains observed in browser or proxy logs
- API calls or content changes attributed to users who did not initiate them, indicating session-context abuse
Detection Strategies
- Review GitLab audit events for content edits by developer-role accounts followed by views from higher-privileged users such as maintainers or admins
- Scan GitLab database content and rendered pages for HTML tags and JavaScript patterns in fields that should contain plain text or sanitized markdown
- Correlate web server access logs for unusual GET patterns on project pages immediately followed by external HTTP requests from the same client IP
Monitoring Recommendations
- Enable and forward GitLab application and audit logs to a centralized log platform for retention and query
- Monitor for anomalous personal access token creation or privilege changes shortly after a maintainer or admin views developer-authored content
- Track outbound network connections from administrator workstations to non-corporate domains during GitLab browsing sessions
How to Mitigate CVE-2026-10086
Immediate Actions Required
- Upgrade GitLab EE to version 18.11.6, 19.0.3, or 19.1.1 or later, depending on the deployed branch
- Audit recent contributions and content changes made by developer-role accounts across all projects since the affected versions were installed
- Rotate session tokens and personal access tokens for users who may have viewed untrusted developer-authored content
Patch Information
GitLab released fixed versions 18.11.6, 19.0.3, and 19.1.1. Apply the upgrade following the guidance in the GitLab Patch Release Note. Self-managed GitLab EE administrators should plan an immediate maintenance window. GitLab.com instances are patched by the vendor.
Workarounds
- Restrict developer-role assignments to trusted users until patching is complete
- Enforce a strict Content Security Policy (CSP) at the reverse proxy layer to limit inline script execution and external script loading
- Limit the projects and groups that privileged users browse until the upgrade is verified in production
# Verify the running GitLab EE version after upgrade
sudo gitlab-rake gitlab:env:info | grep -i version
# Example upgrade on Omnibus GitLab (Debian/Ubuntu)
sudo apt-get update
sudo apt-get install gitlab-ee=19.1.1-ee.0
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

