The flaws, disclosed on May 13, 2026, impact both Community Edition (CE) and Enterprise Edition (EE), prompting urgent warnings for organizations running self-managed instances.
The company released patched versions 18.11.3, 18.10.6, and 18.9.7, addressing 25 vulnerabilities spanning Cross-Site Scripting (XSS), Denial-of-Service (DoS), and access control issues.
While GitLab.com is already protected, unpatched on-premise deployments remain highly exposed to exploitation.
Among the most critical issues are four high-severity XSS vulnerabilities, each with a CVSS score of 8.7.
These flaws originate from improper input sanitization in widely used components such as analytics dashboards, global search, and Duo Agent output rendering.
Attackers with standard authenticated access can inject malicious JavaScript into these features. Once executed in a victim’s browser, the payload can steal session tokens, impersonate users, and manipulate repositories without detection.
This makes insider threats or compromised developer accounts, particularly dangerous.
Security researchers warn that such attacks could persist unnoticed, enabling long-term espionage within development environments.
For example, a malicious script embedded in a shared dashboard could silently capture credentials from multiple engineers accessing the same project.
In addition to XSS flaws, GitLab patched three high-severity DoS vulnerabilities (CVSS 7.5) that require no authentication.
These bugs affect the CI/CD job update API, Duo Workflows API, and internal API endpoints.
By sending specially crafted requests or malformed JSON payloads, attackers can exhaust server resources and crash GitLab services remotely.
This opens the door to large-scale disruption, where threat actors can deliberately halt software delivery pipelines, delaying releases and impacting business operations.
Beyond these, GitLab resolved multiple medium-severity issues, including improper authorization in GraphQL (CVE-2026-1322), CSRF in JiraConnect integrations, and unauthorized access to sensitive package and registry components.
| CVE ID | Type / Short Title | Impacted Area | Severity |
|---|---|---|---|
| CVE-2026-7481 | XSS in analytics dashboard | GitLab EE Analytics | High |
| CVE-2026-5297 | XSS in global search | GitLab CE/EE | High |
| CVE-2026-6073 | XSS in Duo Agent output | GitLab EE Duo Agent | High |
| CVE-2026-7377 | XSS in analytics dashboard | GitLab EE Analytics | High |
| CVE-2026-1659 | DoS in CI/CD job update API | GitLab CE/EE CI/CD | High |
| CVE-2025-14870 | DoS in Duo Workflows API | GitLab CE/EE | High |
| CVE-2025-14869 | DoS in internal API | GitLab CE/EE | High |
| CVE-2026-1322 | Improper authorization in GraphQL | GitLab CE/EE GraphQL | Medium |
| CVE-2026-1184 | DoS in Insights configuration | GitLab EE Insights | Medium |
| CVE-2026-4524 | Access control in Issues API | GitLab CE/EE | Medium |
| CVE-2026-8280 | DoS in CSV parser | GitLab CE/EE | Medium |
| CVE-2026-4527 | CSRF in JiraConnect | GitLab CE/EE | Medium |
| CVE-2026-3160 | Confused Deputy in Jira | GitLab CE/EE | Medium |
| CVE-2026-6335 | XSS in Banzai sanitizer | GitLab CE/EE | Medium |
| CVE-2025-12669 | XSS in email notifications | GitLab CE/EE | Medium |
| CVE-2026-3607 | Access control in Helm upload | GitLab CE/EE | Medium |
| CVE-2026-3074 | Improper access in NuGet Server | GitLab CE/EE | Medium |
| CVE-2026-1338 | Access control in Container Registry | GitLab CE/EE | Medium |
| CVE-2026-8144 | Missing auth in group user search | GitLab CE/EE | Medium |
| CVE-2026-6063 | Improper access in code owner rules | GitLab EE | Medium |
| CVE-2026-3073 | Access control in PyPI rules | GitLab CE/EE | Medium |
| CVE-2025-13874 | Improper access in issue links API | GitLab CE/EE | Medium |
| CVE-2026-7471 | SSRF in virtual registry redirect | GitLab EE | Low |
| CVE-2026-2900 | Access control in GraphQL mutations | GitLab EE | Low |
| CVE-2026-6883 | Missing auth in Security Policy | GitLab EE | Low |
Organizations using self-managed GitLab deployments are strongly advised to upgrade immediately. Delaying patches could leave development infrastructure vulnerable to stealthy account compromise or disruptive service outages, both of which pose significant operational and security risks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical GitLab Flaw Enables XSS and Unauthenticated DoS Attacks appeared first on Cyber Security News.
Ever since they started coming out on PC, the Forza Horizon games have been some…
The post Cloudbass Taps dB Broadcast, Grass Valley For New IP-based OB Trucks For Sports…
We’ve just passed two notable anniversaries in broadcast television’s history. A closer look at the…
The post Study: Downstream Fiber Usage Outpaces Cable Broadband appeared first on TV News Check.
The post Cloudbass Taps dB Broadcast, Grass Valley For New IP-based OB Trucks For Sports…
Wendy McMahon Global media technology company Merzigo has engaged Wendy McMahon as senior adviser for…
This website uses cookies.