Unauth GitLab Support Bot Impersonation via Service Desk Email CVE-2026-9694
CVE-2026-9694 Published on June 11, 2026
Improper Neutralization of Substitution Characters in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.
Vulnerability Analysis
CVE-2026-9694 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Improper Neutralization of Substitution Characters
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component.
Products Associated with CVE-2026-9694
Want to know whenever a new CVE is published for GitLab? stack.watch will email you.
Affected Versions
GitLab:- Version 15.9 and below 18.10.8 is affected.
- Version 18.11 and below 18.11.5 is affected.
- Version 19.0 and below 19.0.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.