CVE-2026-6335 Overview
CVE-2026-6335 is a stored cross-site scripting (XSS) vulnerability affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The flaw exists in all versions starting from 18.11 before 18.11.3. Improper sanitization of user-supplied content allows an authenticated attacker to inject malicious script that executes in another user's browser session under specific conditions. GitLab remediated the issue in version 18.11.3, released on May 13, 2026. The weakness is tracked as CWE-79, Improper Neutralization of Input During Web Page Generation.
Critical Impact
An authenticated attacker can execute arbitrary JavaScript in a victim user's browser session, enabling session manipulation, UI redress, or limited data theft within the GitLab application context.
Affected Products
- GitLab Community Edition (CE) versions 18.11 through 18.11.2
- GitLab Enterprise Edition (EE) versions 18.11 through 18.11.2
- Self-managed GitLab instances running the affected releases
Discovery Timeline
- 2026-05-13 - GitLab releases patch version 18.11.3 addressing the issue
- 2026-05-14 - CVE-2026-6335 published to the National Vulnerability Database
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6335
Vulnerability Analysis
The vulnerability is a stored cross-site scripting (XSS) flaw classified under [CWE-79]. GitLab fails to properly sanitize specific user-controlled input before rendering it within the web interface. An authenticated user can craft input containing JavaScript payloads that are persisted by the application. When another authenticated user views the affected resource, the malicious payload executes in that user's browser session.
Because the scope is changed (S:C), the injected script can affect resources beyond the vulnerable component, including the victim's authenticated session context. User interaction is required, meaning the victim must view the resource containing the injected payload. Confidentiality and integrity impacts are limited, and there is no direct availability impact.
The full technical details are tracked in GitLab Work Item #596760 and the original HackerOne Report #3673647.
Root Cause
The root cause is improper output encoding and sanitization when rendering user-supplied content within the GitLab UI. The application accepts input that retains executable script semantics after processing. When the content is later rendered in another user's browser, the embedded script executes in the trusted origin of the GitLab instance.
Attack Vector
The attack vector is network-based and requires low-privilege authentication on the target GitLab instance. An attacker submits a crafted payload through an affected input field. The payload is stored server-side. When a victim user navigates to the resource containing the payload, the script executes within the victim's session. Self-managed instances and multi-tenant GitLab.com workspaces are both within scope until upgraded to 18.11.3.
No public proof-of-concept exploitation code has been verified for this issue. Refer to the GitLab Patch Release Announcement for vendor-supplied technical details.
Detection Methods for CVE-2026-6335
Indicators of Compromise
- Unexpected <script> tags, event handlers (onerror, onload), or javascript: URIs in GitLab issue descriptions, comments, merge request fields, wiki pages, or other user-editable resources
- Browser console errors or unexpected outbound requests originating from authenticated GitLab sessions
- Anomalous API calls made from a user's session that the user did not initiate, such as token creation or permission changes
Detection Strategies
- Review GitLab production logs for HTTP requests containing suspicious payload patterns (<script, onerror=, javascript:, encoded variants) submitted to content endpoints
- Audit recently created or modified issues, comments, snippets, and wiki content within affected version ranges for embedded scripts
- Correlate authenticated session activity with unusual privilege changes, personal access token generation, or SSH key additions
Monitoring Recommendations
- Enable and centralize GitLab audit events and Rails production logs into a SIEM for content-injection pattern matching
- Monitor browser Content Security Policy (CSP) violation reports from GitLab if CSP reporting is configured
- Track GitLab version inventory across self-managed instances to ensure all nodes are running 18.11.3 or later
How to Mitigate CVE-2026-6335
Immediate Actions Required
- Upgrade all GitLab CE and EE self-managed instances to version 18.11.3 or later
- Rotate personal access tokens, session cookies, and credentials for any users who may have viewed attacker-controlled content during the exposure window
- Review audit logs for suspicious actions performed by privileged users on affected versions
Patch Information
GitLab released version 18.11.3 on May 13, 2026, which remediates this issue. Apply the upgrade following the standard GitLab upgrade path. Full release notes are available in the GitLab Patch Release Announcement.
Workarounds
- No official vendor workaround is published; upgrading to 18.11.3 is the supported remediation
- Restrict creation of new content to trusted users until the patch is applied where operationally feasible
- Enforce a strict Content Security Policy on the GitLab instance to reduce the impact of script injection
# Configuration example: upgrade GitLab on a Debian/Ubuntu self-managed instance
sudo apt-get update
sudo apt-get install gitlab-ee=18.11.3-ee.0
sudo gitlab-ctl reconfigure
sudo gitlab-rake gitlab:check SANITIZE=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
