CVE-2026-6073 Overview
CVE-2026-6073 is a stored cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition (EE) caused by improper input sanitization [CWE-79]. An authenticated user can inject arbitrary JavaScript that executes in another user's browser session when the malicious content is rendered. The flaw affects GitLab EE versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. GitLab released patched builds on May 13, 2026, and the CVE was published to the National Vulnerability Database (NVD) on May 14, 2026.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in victim browsers, leading to session theft, account takeover, and cross-tenant data exposure within GitLab EE instances.
Affected Products
- GitLab EE versions 18.7 through 18.9.6
- GitLab EE versions 18.10 through 18.10.5
- GitLab EE versions 18.11 through 18.11.2
Discovery Timeline
- 2026-05-13 - GitLab releases patched versions 18.9.7, 18.10.6, and 18.11.3
- 2026-05-14 - CVE-2026-6073 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6073
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw in GitLab EE. User-supplied input is rendered in the GitLab web interface without adequate sanitization or output encoding. When another user loads the affected view, the injected JavaScript executes in their authenticated browser context.
The CVSS vector indicates the attack scope is changed, meaning code executed in the victim's browser can affect resources beyond the originally compromised component. Successful exploitation can leak session cookies, personal access tokens visible in the DOM, project source code, CI/CD secrets, and merge request data. Attackers can also pivot to perform actions on behalf of the victim, including modifying repositories or escalating permissions if the target holds administrative roles.
Root Cause
The root cause is missing or insufficient input sanitization on a user-controllable field that is later rendered in the GitLab UI. The application stores attacker-supplied content and renders it as HTML rather than escaping it. This pattern maps directly to CWE-79: Improper Neutralization of Input During Web Page Generation. GitLab has not publicly disclosed the specific component pending broad customer patching, per the linked GitLab Work Item #596340.
Attack Vector
Exploitation requires an authenticated user with permissions to submit content to a shared GitLab resource. The attacker stores a JavaScript payload in a vulnerable field. A second user with view access triggers execution by navigating to the rendered content. User interaction on the victim side is required, and the attack is network-reachable on any GitLab EE instance exposing the affected interface.
No verified proof-of-concept code has been published. Technical details are available in the HackerOne Report #3655677 and the GitLab Release Patch 18.11.3 advisory.
Detection Methods for CVE-2026-6073
Indicators of Compromise
- HTML tags, <script> elements, or JavaScript event handlers such as onerror= and onload= appearing in stored GitLab content fields
- Outbound HTTP requests from authenticated GitLab user browsers to unfamiliar domains shortly after viewing GitLab pages
- Unexpected use of personal access tokens or session cookies from anomalous IP addresses or user agents
- Audit log entries showing privileged actions performed immediately after a user viewed attacker-controlled content
Detection Strategies
- Inspect GitLab production logs for requests containing HTML or script payloads in POST and PUT bodies targeting issue, comment, snippet, and merge request endpoints
- Deploy Content Security Policy (CSP) reporting and alert on script-src violations originating from authenticated GitLab sessions
- Compare GitLab application logs against the affected version ranges to confirm exposure window before patching
Monitoring Recommendations
- Forward GitLab audit and production logs to a centralized SIEM with retention covering the exposure window
- Monitor for sudden spikes in API token usage or repository clones following user logins
- Alert on administrator-level configuration changes performed by accounts that recently viewed user-supplied content
How to Mitigate CVE-2026-6073
Immediate Actions Required
- Upgrade GitLab EE to version 18.9.7, 18.10.6, or 18.11.3 or later, depending on your deployment branch
- Rotate personal access tokens, runner registration tokens, and session secrets if the instance was exposed before patching
- Audit administrator and maintainer accounts for unauthorized configuration changes during the exposure window
Patch Information
GitLab released fixed builds on May 13, 2026. Patched versions are 18.9.7, 18.10.6, and 18.11.3. Self-managed instances must apply the corresponding package or container image. Details are published in the GitLab Release Patch 18.11.3 announcement.
Workarounds
- Restrict instance access to trusted users until patching is complete, since exploitation requires authentication
- Enforce a strict Content Security Policy that disables inline JavaScript and limits script-src to known origins
- Disable or restrict features that accept rich-text or HTML input from low-privileged users where business operations allow
# Upgrade example for an Omnibus-based GitLab EE deployment
sudo apt-get update
sudo apt-get install gitlab-ee=18.11.3-ee.0
sudo gitlab-ctl reconfigure
sudo gitlab-rake gitlab:check SANITIZE=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
