GitLab GitLab Version Control Server

Known Exploited GitLab Vulnerabilities

The following GitLab vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

The vulnerability CVE-2023-7028: GitLab Community and Enterprise Editions Improper Access Control Vulnerability is in the top 1% of the currently known exploitable vulnerabilities. 2 known exploited GitLab vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 144 vulnerabilities in GitLab with an average score of 5.8 out of ten. Last year, in 2025 GitLab had 162 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in GitLab in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.30

Recent GitLab Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-10086	Jun 25, 2026	GitLab EE 18.11.6/19.0.3/19.1.1: Dev role XSS via code exec GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of another user's session, due to improper sanitization of user-supplied input.	GitLab
CVE-2026-0934	Jun 25, 2026	GitLab EE: Auth Priv Access to Env Configs (v17.9-18.11,19.0-19.0,19.1-19.1) GitLab has remediated an issue in GitLab EE affecting all versions from 17.9 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with custom role permissions to view, create, or delete protected environment configurations despite CI/CD visibility being disabled for the project.	GitLab
CVE-2026-1606	Jun 25, 2026	GitLab CE/EE Snippet Escalation (18.11.5, 19.0.2, 19.1.0) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to conceal content within a Snippet due to improper input validation.	GitLab
CVE-2026-2238	Jun 25, 2026	GitLab CE/EE <18.11.6/19.0.3/19.1.1 Unauthorized Confidential Issue Ref Access GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.5 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to view confidential issue references on public projects due to improper authorization checks.	GitLab
CVE-2026-3176	Jun 25, 2026	GitLab EE 18.618.11.5/19.0/19.1 AuthZ Bypass (Limited Auth) GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with limited permissions to access project information due to insufficient authorization checks.	GitLab
CVE-2026-5309	Jun 25, 2026	Unauth Access to GitLab EE Virtual Registry Cleanup Policy (18.11.6, 19.1.1) GitLab has remediated an issue in GitLab EE affecting all versions from 18.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to read or modify another group's virtual registry cleanup policy settings without authorization.	GitLab
CVE-2026-5796	Jun 25, 2026	GitLab CE/EE Pkg Reg Metadata View Bypass (13.6-18.11.5,19.0-19.0.2,19.1-19.1.0) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.	GitLab
CVE-2026-5952	Jun 25, 2026	GitLab <18.11.6, <19.0.3, <19.1.1: Dev Auth Bypass Pkg Protect, Overwrite Mvn Meta GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite protected Maven package metadata due to incorrect authorization checks.	GitLab
CVE-2026-8330	Jun 25, 2026	GitLab CI/CD Log Disclosure via API (before 18.11.6, <19.0.3, <19.1.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed sensitive information to be written to application logs due to insufficient filtering in a CI/CD API endpoint.	GitLab
CVE-2026-10712	Jun 25, 2026	GitLab CE/EE XSS via Improper Path Validation (18.11.5/19.0.2/19.1.0) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.	GitLab
CVE-2026-11379	Jun 25, 2026	GitLab EE Auth Bypass in DAST Site Profile (<18.11.6, <19.0.3, <19.1.1) GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1 in which incorrect authorization in DAST site profile management could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions.	GitLab
CVE-2026-12053	Jun 25, 2026	GitLab EE <19.1.1 Improper Output Filtering in Duo Workflows Allows Sensitive Data Leak GitLab has remediated an issue in GitLab EE affecting all versions from 19.1 before 19.1.1 that under certain conditions could have allowed a user to access sensitive information that had already been committed to a project, due to insufficient output filtering in Duo Workflows.	GitLab
CVE-2026-12635	Jun 25, 2026	GitLab Mirror Sync URL Validation flaw (8.318.11.5 & 19.x before patch) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to make requests to internal network resources through mirror synchronization due to improper URL validation.	GitLab
CVE-2026-1500	Jun 11, 2026	GitLab DoS via Uncontrolled Resource Consumption on File Upload (17.1018.10.8, 18.1118.11.5, 19.019. GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to cause denial of service due to uncontrolled resource consumption when processing a specially crafted file upload.	GitLab
CVE-2026-3553	Jun 11, 2026	GitLab CE/EE <=18.10.8 Auth Bypass Exposes Issue Details GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to access confidential issue details due to incorrect authorization checks.	GitLab
CVE-2026-6269	Jun 11, 2026	GitLab Auth Bypass on Hidden MRs (v15.1019.0) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements.	GitLab
CVE-2026-6277	Jun 11, 2026	Auth Bypass in GitLab EE 13.9-18.10.8,18.11-18.11.5,19.0-19.0.2 (SM Role) GitLab has remediated an issue in GitLab EE affecting all versions from 13.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with Security Manager-role permissions to manage project security configuration even when the relevant feature was in a disabled state, due to incorrect authorization enforcement.	GitLab
CVE-2026-6552	Jun 11, 2026	Improper Auth in GitLab EE Group SAML (v15.518.10.8, 18.1118.11.5, 19.019.0.2) Owner Takeover GitLab has remediated an issue in GitLab EE affecting all versions from 15.5 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with group Owner role to take over another group member's GitLab account due to improper authorization in the Group SAML identity management functionality.	GitLab
CVE-2026-6976	Jun 11, 2026	GitLab CE/EE v15.9-18.10.8/18.11.5/19.0-19.0.2 Auth Dev Hide MR Diff GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.	GitLab
CVE-2026-7250	Jun 11, 2026	GitLab API Middleware DoS vulnerability before v18.11.5 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsing middleware.	GitLab
CVE-2026-8589	Jun 11, 2026	GitLab EE: Unauth email addition via flawed sanitization, fixed in 19.0.2 GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper sanitization of user-supplied input in certain group setting fields.	GitLab
CVE-2026-9204	Jun 11, 2026	GitLab CE/EE 18.10-19.0: Auth File Read via Bad Sec URL Validation GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to read arbitrary files from the Gitaly server and access internal network resources during repository import, due to insufficient validation of secondary URLs.	Gitaly
CVE-2026-9694	Jun 11, 2026	Unauth GitLab Support Bot Impersonation via Service Desk Email CVE-2026-9694 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.	GitLab
CVE-2026-10087	Jun 11, 2026	GitLab EE up to 18.10.7, 18.11.4, 19.0.1 XSS via Analytics Dashboard GitLab has remediated an issue in GitLab EE affecting all versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard.	GitLab
CVE-2026-10733	Jun 11, 2026	GitLab CI/CD Catalog DoS via Improper Sanitization (v17.0-<18.10.8/18.11-<18.11.5/19.0-<19.0.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that could have allowed an authenticated user to cause denial of service on the CI/CD Catalog page due to improper sanitization.	GitLab
CVE-2026-9807	May 28, 2026	GitLab auth allows blocked PAT to access resources before 18.10.7/18.11.4/19.0.1 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement.	GitLab
CVE-2026-1402	May 27, 2026	GitLab 17.1-18.10.7/18.11-18.11.4/19.0-19.0.1 Authenticated DoS GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to cause denial of service due to insufficient validation.	GitLab
CVE-2026-2601	May 27, 2026	GitLab EE Auth Bypass: Dev Access to Deployment Data (<18.10.7, <18.11.4, <19.0.1) GitLab has remediated an issue in GitLab EE affecting all versions from 11.5 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects due to improper authorization checks.	GitLab
CVE-2026-4868	May 27, 2026	GitLab EE <18.10.7 / <18.11.4 / <19.0.1: Auth User Can Run Duo AI as Another User GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that, under certain conditions, could have allowed an authenticated user to cause specific Duo AI workflows to run under another user's identity due to improper user identity resolution when triggering Duo AI workflow runners.	GitLab
CVE-2026-5296	May 27, 2026	GitLab EE Flow Bypass 18.718.10.7/18.1118.11.4/19.019.0.1 GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that when foundational flows were enabled at the group level, could have allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.	GitLab
CVE-2026-6713	May 27, 2026	GitLab CE/EE unauth project enumeration via mis-auth (pre-18.10.7/18.11.4/19.0.1) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks.	GitLab
CVE-2026-8716	May 27, 2026	GitLab CE/EE 18.10.7/18.11.4/19.0.1 Authenticated CI Data Leak GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended.	GitLab
CVE-2025-12669	May 14, 2026	GitLab CE/EE HTML/JS injection via email notifications (15.11-18.11.X) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization.	GitLab
CVE-2025-13874	May 14, 2026	GitLab CE/EE <18.9.7: Guest Auth can View Unauthorized Issues GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.	GitLab
CVE-2025-14869	May 14, 2026	GitLab API DoS via crafted payloads 18.5-18.9.7, 18.10-18.10.6, 18.11-18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted payloads on certain API endpoints.	GitLab
CVE-2025-14870	May 14, 2026	GitLab CE/EE DoS via crafted JSON before 18.9.7, 18.10.6, 18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted JSON payloads due to insufficient input validation.	GitLab
CVE-2026-1184	May 14, 2026	GitLab EE <18.9.7 -> DOS via Crafted File Upload GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially crafted file due to improper validation.	GitLab
CVE-2026-1322	May 14, 2026	GitLab AuthZ:OAuth Users Create Issues (v16<18.9.7,18.10<18.10.6,18.11<18.11.3) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a read_api scoped OAuth application to create issues and add comments to issues in private projects due to improper authorization.	GitLab
CVE-2026-1338	May 14, 2026	Auth-Role Dev Tag Delete Flaw, GitLab <=18.9.7,18.10<=18.10.6,18.11<=18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protected container registry tags due to improper authorization checks.	GitLab
CVE-2026-1659	May 14, 2026	GitLab CE/EE DoS via Input Validation, vulnerable before 18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially crafted requests due to insufficient input validation.	GitLab
CVE-2026-2900	May 14, 2026	GitLab EE Auth Bypass: Approval Rules (16.1018.9.6, 18.1018.10.5, 18.1118.11.2) GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks.	GitLab
CVE-2026-3073	May 14, 2026	GitLab CE/EE PyPI Upload Auth Bypass before 18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to improper authorization checks.	GitLab
CVE-2026-3074	May 14, 2026	GitLab CE/EE 16.7-18.9.7 Unauth Access to Private Debug Symbols GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inaccessible projects due to improper access control.	GitLab
CVE-2026-3160	May 14, 2026	GitLab CE/EE Jira integration filter bypass before 18.9.7/18.10.6/18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project scope due to an integration filter functioning only as a display control rather than enforcing access boundaries as specified.	GitLab
CVE-2026-3607	May 14, 2026	GitLab Access Control Bypass CVE-2026-3607 (before 18.9.7, 18.10.6, 18.11.3) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package protection rules due to improper access control.	GitLab
CVE-2026-4524	May 14, 2026	GitLab CE/EE auth bypass: Conf Issue Access (v18.9.1-18.9.6, 18.10-18.10.5, 18.11-18.11.2) GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to access confidential issue content in public projects without proper authorization due to improper authorization checks.	GitLab
CVE-2026-4527	May 14, 2026	GitLab Unauth Jira Subscription via CSRF 11.10-18.9.7/18.10-18.10.6/18.11-18.11.3 GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a targeted user's namespace via a specially crafted link due to missing CSRF protection.	GitLab
CVE-2026-6063	May 14, 2026	GitLab EE Authenticated Dev Users Delete Code Owner Rules (V11-18.11) GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.	GitLab
CVE-2026-6073	May 14, 2026	GitLab EE XSS: Authenticated Users Execute JS before v18.9.7, v18.10.6, v18.11.3 GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to execute arbitrary JavaScript in other users' browsers due to improper input sanitization.	GitLab
CVE-2026-6335	May 14, 2026	GitLab 18 CE/EE XSS/Exec Remote Code in User Session via Sanitization Flaw GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization.	GitLab