CVE-2026-7377 Overview
GitLab has patched a stored cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition (EE) tracked as CVE-2026-7377. The flaw resides in customizable analytics dashboards and stems from improper input sanitization [CWE-79]. An authenticated user can inject crafted payloads that execute arbitrary JavaScript in the browser context of other users who view the affected dashboard. The issue affects GitLab EE versions 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. Because the attack changes security scope, a successful exploit can compromise the integrity and confidentiality of victim sessions across the application.
Critical Impact
Authenticated attackers can execute arbitrary JavaScript in victim browsers, enabling session theft, action forgery, and pivoting against GitLab EE users who load malicious analytics dashboards.
Affected Products
- GitLab EE versions 18.7 up to but not including 18.9.7
- GitLab EE versions 18.10 up to but not including 18.10.6
- GitLab EE versions 18.11 up to but not including 18.11.3
Discovery Timeline
- 2026-05-13 - GitLab releases patched versions 18.9.7, 18.10.6, and 18.11.3
- 2026-05-14 - CVE-2026-7377 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-7377
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw [CWE-79] in the customizable analytics dashboards feature of GitLab EE. Dashboard fields accept user-supplied content that is rendered to other users without adequate output encoding or input sanitization. When a victim loads a tampered dashboard, the embedded JavaScript executes in the origin of the GitLab instance.
The attack requires an authenticated user with permission to create or modify analytics dashboards. Exploitation requires user interaction — a victim must view the malicious dashboard. The scope change means injected scripts can access resources beyond the attacker's own privilege boundary, such as the victim's session cookies, CSRF tokens, and authenticated API endpoints.
Successful exploitation enables session hijacking, forced actions through the GitLab API in the context of the victim, exfiltration of source code and pipeline secrets visible to the victim, and lateral movement to higher-privileged accounts including maintainers and administrators.
Root Cause
The root cause is missing or insufficient sanitization of user-controlled inputs rendered inside customizable analytics dashboard components. The dashboard rendering path stores attacker content and later inlines it into the DOM without applying contextual output encoding, allowing JavaScript payloads to break out of the intended data context.
Attack Vector
An authenticated attacker creates or edits a customizable analytics dashboard and embeds a JavaScript payload in a vulnerable field. The payload is persisted server-side. When another GitLab user — including project members, maintainers, or administrators — opens the dashboard, the browser parses and executes the stored script under the GitLab origin. The attacker can then issue authenticated requests, read DOM contents, and pivot using the victim's permissions.
The vulnerability mechanism is described in the GitLab Release Patch Notes, the GitLab Work Item Details, and the HackerOne Report #3659044.
Detection Methods for CVE-2026-7377
Indicators of Compromise
- Analytics dashboard definitions containing HTML tags such as <script>, <img onerror=>, <svg onload=>, or javascript: URIs in title, description, or panel configuration fields.
- Unexpected outbound requests from authenticated user sessions to attacker-controlled domains shortly after a dashboard view event.
- Audit log entries showing dashboard creation or modification by users who do not normally author analytics content.
Detection Strategies
- Query the GitLab database and API for dashboard JSON or YAML definitions containing HTML or JavaScript syntax in user-supplied string fields.
- Inspect web server access logs for GET requests to analytics dashboard endpoints followed by anomalous API calls from the same session.
- Review GitLab audit events for analytics_dashboard create and update actions correlated with privileged accounts viewing those dashboards.
Monitoring Recommendations
- Enable and centralize GitLab audit logs covering dashboard create, update, and view events.
- Alert on Content Security Policy (CSP) violation reports originating from GitLab analytics paths.
- Monitor for new personal access tokens, SSH keys, or webhook configurations created shortly after dashboard interactions by maintainers or administrators.
How to Mitigate CVE-2026-7377
Immediate Actions Required
- Upgrade GitLab EE to 18.9.7, 18.10.6, or 18.11.3 depending on the deployed branch.
- Audit all existing customizable analytics dashboards for embedded HTML or JavaScript content and remove suspicious entries.
- Rotate session tokens, personal access tokens, and CI/CD secrets for any account that viewed a suspicious dashboard before patching.
Patch Information
GitLab addressed CVE-2026-7377 in the patch release published on 2026-05-13. Fixed versions are 18.9.7, 18.10.6, and 18.11.3. Deployment details and upgrade instructions are available in the GitLab Release Patch Notes.
Workarounds
- Restrict permissions to create or edit customizable analytics dashboards to a small, trusted group until the upgrade is applied.
- Enforce a strict Content Security Policy that blocks inline scripts on GitLab analytics paths.
- Disable the customizable analytics dashboards feature in affected projects until patched versions are deployed.
# Verify the installed GitLab version after upgrade
sudo gitlab-rake gitlab:env:info | grep -i version
# Example upgrade on an Omnibus package-based installation
sudo apt-get update && sudo apt-get install gitlab-ee=18.11.3-ee.0
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
