Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13320

CVE-2026-13320: GitLab CE/EE XSS Vulnerability

CVE-2026-13320 is a cross-site scripting flaw in GitLab CE/EE allowing authenticated users to execute arbitrary scripts in victim browsers. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-13320 Overview

CVE-2026-13320 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw stems from improper sanitization of user-supplied input. An authenticated attacker can inject scripts that execute in another user's browser session under specific conditions. GitLab has released fixes across three affected release branches.

Critical Impact

An authenticated user can execute arbitrary JavaScript in a victim's browser session, enabling session hijacking, credential theft, and unauthorized actions performed as the victim within GitLab.

Affected Products

  • GitLab CE/EE versions 15.7 through versions prior to 18.11.7
  • GitLab CE/EE versions 19.0 through versions prior to 19.0.4
  • GitLab CE/EE versions 19.1 through versions prior to 19.1.2

Discovery Timeline

  • 2026-07-08 - CVE-2026-13320 published to the National Vulnerability Database (NVD)
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-13320

Vulnerability Analysis

CVE-2026-13320 is a stored Cross-Site Scripting (XSS) issue tracked under CWE-79. GitLab CE/EE fails to properly sanitize user-supplied input before rendering it in the web interface. An authenticated attacker with sufficient privileges can plant a malicious payload that later executes in another user's browser context.

The attack requires user interaction and a scope change, meaning the injected script can affect resources beyond the vulnerable component. Once triggered, the attacker's JavaScript runs with the victim's session privileges. This exposes session tokens, personal access tokens, and any project data the victim can access.

GitLab tracks internal remediation details in the GitLab Work Item Discussion and the coordinated disclosure appears in HackerOne Security Report #3816917.

Root Cause

The root cause is missing or insufficient output encoding on a user-controlled field rendered in the GitLab UI. Input that should be treated as inert text is instead interpreted as HTML or JavaScript. The absence of contextual escaping allows script tags or event handler attributes to persist in stored content and execute on retrieval.

Attack Vector

Exploitation requires the attacker to authenticate to GitLab with elevated privileges and to prepare content containing a script payload. A victim must then view the affected resource, triggering execution. Because the scope changes on execution, the payload can pivot to actions the victim is authorized to perform, including API calls against GitLab endpoints.

No verified public exploit code is available. See the GitLab Release Patch Note for vendor-published technical context.

Detection Methods for CVE-2026-13320

Indicators of Compromise

  • Unexpected <script> tags, javascript: URIs, or DOM event handler attributes (onerror, onload, onmouseover) stored inside GitLab issues, merge requests, comments, wiki pages, or project metadata.
  • Outbound HTTP requests from user browsers to unfamiliar domains immediately after viewing GitLab pages.
  • Anomalous GitLab API activity performed under legitimate user tokens shortly after the user browsed attacker-controlled content.

Detection Strategies

  • Review GitLab application logs and database content for stored fields containing HTML control characters or script constructs.
  • Correlate production_json.log requests that render user-generated content with subsequent unusual API calls from the same session.
  • Enable and monitor Content Security Policy (CSP) violation reports to surface script execution attempts blocked by the browser.

Monitoring Recommendations

  • Alert on the creation of personal access tokens or SSH keys shortly after a user views issues, merge requests, or wiki content authored by another account.
  • Monitor audit events for privilege changes, project transfers, or membership modifications performed within minutes of viewing user-generated content.
  • Track GitLab admin and maintainer sessions for browser-initiated actions that deviate from historical baselines.

How to Mitigate CVE-2026-13320

Immediate Actions Required

  • Upgrade GitLab CE/EE to 18.11.7, 19.0.4, or 19.1.2 depending on your current release branch.
  • Rotate personal access tokens, SSH keys, and session cookies for any users who may have viewed suspect content prior to patching.
  • Audit recent changes to project membership, permissions, and integrations for actions that may have been triggered via XSS.

Patch Information

GitLab has released fixed versions 18.11.7, 19.0.4, and 19.1.2. Administrators of self-managed instances should apply the appropriate patch release for their branch. See the GitLab Release Patch Note for upgrade procedures and version-specific guidance. GitLab.com SaaS is patched by the vendor.

Workarounds

  • No official workaround has been published; upgrading to a fixed release is the supported remediation path.
  • Restrict membership and content-authoring privileges in shared projects to trusted accounts to reduce the pool of potential attackers until patching completes.
  • Enforce a strict Content Security Policy at the reverse proxy layer to limit inline script execution as a defense-in-depth control.
bash
# Configuration example: upgrade an Omnibus GitLab self-managed instance
# Debian/Ubuntu
sudo apt-get update
sudo apt-get install gitlab-ee=19.1.2-ee.0

# RHEL/CentOS
sudo yum install gitlab-ee-19.1.2-ee.0

# Verify running version after upgrade
sudo gitlab-rake gitlab:env:info | grep 'GitLab information' -A2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.