CVE-2026-2995: GitLab Auth Bypass Vulnerability

CVE-2026-2995 Overview

A Cross-Site Scripting (XSS) vulnerability has been identified in GitLab Enterprise Edition (EE) that allows an authenticated user to add email addresses to targeted user accounts through improper sanitization of HTML content. This vulnerability stems from inadequate input validation in the HTML processing components of GitLab, enabling attackers to manipulate user account data.

Critical Impact

Authenticated attackers can exploit improper HTML sanitization to inject malicious content and modify email addresses on targeted user accounts, potentially leading to account takeover or phishing attacks.

Affected Products

• GitLab Enterprise Edition versions 15.4 through 18.8.6
• GitLab Enterprise Edition versions 18.9.0 through 18.9.2
• GitLab Enterprise Edition version 18.10.0

Discovery Timeline

• 2026-03-25 - CVE-2026-2995 published to NVD
• 2026-03-25 - GitLab releases security patch (versions 18.8.7, 18.9.3, and 18.10.1)
• 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-2995

Vulnerability Analysis

This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The core issue lies in GitLab's HTML content processing pipeline, where user-supplied input is not properly sanitized before being rendered or processed by the application.

The attack requires authentication (low privileges) and some user interaction, but operates through a network-accessible vector. When exploited, the vulnerability affects the confidentiality and integrity of the application by enabling unauthorized modifications to user account email addresses. The scope is changed, meaning the vulnerable component impacts resources beyond its security scope.

Root Cause

The root cause of CVE-2026-2995 is improper sanitization of HTML content within GitLab EE. The application fails to adequately neutralize script-related HTML tags and special characters before processing user input, allowing malicious HTML content to bypass security controls. This inadequate sanitization enables authenticated users to inject crafted HTML payloads that manipulate the email address assignment functionality for other user accounts.

Attack Vector

The attack is executed over the network by an authenticated user with standard privileges. The attacker crafts malicious HTML content containing payloads designed to exploit the sanitization weakness. When this content is processed by GitLab, it bypasses the intended security controls and allows the attacker to add email addresses to accounts belonging to other users.

This type of attack could be leveraged for:

• Account takeover through email-based password reset mechanisms
• Phishing attacks targeting specific users within the GitLab instance
• Establishing persistence by adding attacker-controlled email addresses to privileged accounts

The vulnerability requires user interaction, suggesting the malicious payload must be viewed or processed by another user or administrator for the email injection to occur.

Detection Methods for CVE-2026-2995

Indicators of Compromise

• Unexpected email address additions to user accounts, particularly privileged or administrative accounts
• Unusual HTML content in user-generated fields such as comments, descriptions, or profile sections
• Authentication logs showing password reset requests initiated from newly added, unrecognized email addresses
• User reports of receiving unexpected account verification emails

Detection Strategies

• Monitor GitLab audit logs for email address modifications, especially those affecting multiple accounts or privileged users
• Implement web application firewall (WAF) rules to detect and block HTML injection patterns in user input
• Review application logs for anomalous HTML parsing errors or sanitization bypass attempts
• Deploy Content Security Policy (CSP) headers to mitigate the impact of successful XSS exploitation

Monitoring Recommendations

• Enable and regularly review GitLab's built-in audit events for user account modifications
• Configure alerting for bulk email address changes or additions across user accounts
• Monitor for suspicious login patterns from newly associated email addresses
• Implement real-time log analysis for HTML injection signatures in user input fields

How to Mitigate CVE-2026-2995

Immediate Actions Required

• Upgrade GitLab EE to patched versions: 18.8.7, 18.9.3, or 18.10.1 immediately
• Review user accounts for unauthorized email address additions and remove any suspicious entries
• Audit recent account activity for signs of exploitation, particularly password reset attempts
• Consider temporarily restricting user permissions to modify account settings until patches are applied

Patch Information

GitLab has released patched versions addressing this vulnerability. Organizations should upgrade to the following versions based on their current deployment:

For detailed patch information and upgrade instructions, refer to the GitLab Patch Release Announcement. Additional technical details are available in the GitLab Work Item #591065 and HackerOne Report #3564600.

Workarounds

• Implement strict Content Security Policy (CSP) headers to limit the impact of XSS attacks
• Deploy a web application firewall (WAF) with rules to filter HTML injection attempts
• Restrict access to user account modification features to trusted administrators only
• Enable multi-factor authentication (MFA) to add additional protection against account takeover
• Monitor and alert on email address changes through external audit log analysis

# Verify GitLab version after upgrade
gitlab-rake gitlab:env:info | grep -i version

# Check for unauthorized email additions (query Rails console)
# gitlab-rails console
# User.where("updated_at > ?", 7.days.ago).select(:id, :email, :secondary_emails)