Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10712

CVE-2026-10712: GitLab CE/EE XSS Vulnerability

CVE-2026-10712 is a cross-site scripting flaw in GitLab CE/EE that allows unauthenticated attackers to execute arbitrary JavaScript in user browsers. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-10712 Overview

CVE-2026-10712 is a cross-site scripting (XSS) vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw stems from improper path validation, which under certain conditions allows an unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session. The issue impacts GitLab CE/EE versions 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1. GitLab has released patches addressing the issue across all affected release branches. The vulnerability is tracked under CWE-79 (Improper Neutralization of Input During Web Page Generation).

Critical Impact

Unauthenticated attackers can execute arbitrary JavaScript in a victim's browser, leading to session compromise, credential theft, and unauthorized actions in the GitLab instance.

Affected Products

  • GitLab CE/EE versions 18.10 through 18.11.5
  • GitLab CE/EE versions 19.0 through 19.0.2
  • GitLab CE/EE versions 19.1 through 19.1.0

Discovery Timeline

  • 2026-06-25 - CVE-2026-10712 published to NVD
  • 2026-06-25 - Last updated in NVD database
  • Reporting channel - Reported via HackerOne Report #3688717

Technical Details for CVE-2026-10712

Vulnerability Analysis

The vulnerability is a stored or reflected cross-site scripting flaw rooted in improper path validation within GitLab CE/EE. When GitLab processes specific paths under certain conditions, it fails to properly neutralize attacker-controlled input before rendering it in the user interface. The resulting output allows JavaScript to execute in the context of the victim's browser session.

Because exploitation requires no authentication, any user who interacts with a crafted link or resource is at risk. Successful exploitation leverages the trust relationship between the user and the GitLab origin. Attackers can hijack sessions, exfiltrate tokens, or perform privileged actions on behalf of authenticated victims.

The attack chain requires user interaction, typically clicking a malicious link, and the scope change indicates that code execution affects resources beyond the vulnerable component. Confidentiality and integrity of user data and projects accessible to the victim are at risk.

Root Cause

The root cause is improper path validation logic that fails to sanitize or canonicalize specific path inputs before they reach a rendering context. This permits attacker-controlled payloads to be reflected into the DOM as executable script content, violating the contextual output encoding requirements described in CWE-79.

Attack Vector

An unauthenticated attacker crafts a URL or resource containing a malicious payload that abuses the path validation weakness. The attacker delivers the link through phishing, embedded references, or public project content. When the victim opens the crafted resource in a browser authenticated to the vulnerable GitLab instance, the injected JavaScript executes within the GitLab origin. The attacker can then read DOM contents, issue authenticated API calls, or exfiltrate session material. Technical details are documented in GitLab Work Item #601857 and the GitLab 19.1.1 patch release notes.

Detection Methods for CVE-2026-10712

Indicators of Compromise

  • Unusual outbound requests from authenticated user sessions to attacker-controlled domains shortly after clicking GitLab links.
  • Web server access logs containing suspicious path patterns with encoded <script>, javascript:, or event handler payloads targeting GitLab routes.
  • Unexpected personal access token creation, SSH key additions, or webhook configuration changes initiated from user sessions.
  • Browser console errors or content security policy violations recorded by GitLab users accessing crafted URLs.

Detection Strategies

  • Inspect GitLab production logs (production_json.log, api_json.log) for requests containing encoded script payloads or unusual path traversal sequences.
  • Deploy or tune a web application firewall (WAF) rule set to flag XSS payload patterns targeting GitLab endpoints prior to patching.
  • Correlate authenticated GitLab API calls with the originating referrer to identify session activity triggered from external or suspicious sources.

Monitoring Recommendations

  • Enable and review Content Security Policy (CSP) violation reports from GitLab user browsers to surface injection attempts.
  • Audit GitLab audit events for unexpected account, token, or permission changes following user link interactions.
  • Monitor for anomalous referrers and User-Agent patterns hitting GitLab paths that historically rendered user-controlled content.

How to Mitigate CVE-2026-10712

Immediate Actions Required

  • Upgrade GitLab CE/EE to version 18.11.6, 19.0.3, or 19.1.1 or later as documented in the GitLab 19.1.1 patch release notes.
  • Rotate user session tokens, personal access tokens, and any credentials that may have been exposed during the exposure window.
  • Notify GitLab users to avoid clicking unverified links pointing to the GitLab instance until patches are applied.

Patch Information

GitLab released fixed builds for all supported branches. Administrators should upgrade self-managed installations to GitLab CE/EE 18.11.6, 19.0.3, or 19.1.1. GitLab.com customers are patched by GitLab as part of the security release process. Refer to GitLab Work Item #601857 for upstream tracking.

Workarounds

  • Restrict GitLab instance exposure to trusted networks where feasible to reduce the attacker reach until patches are deployed.
  • Enforce a strict Content Security Policy on the reverse proxy fronting GitLab to limit inline script execution.
  • Educate users to avoid following untrusted GitLab links and to verify URL paths before authenticating.
bash
# Upgrade self-managed GitLab on Debian/Ubuntu to a fixed release
sudo apt-get update
sudo apt-get install gitlab-ee=19.1.1-ee.0
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.