GitLab Enterprise Vulnerabilities Enable Private Data Exposure

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in self-managed GitLab installations, specifically impacting Community Edition (CE) and Enterprise Edition (EE) versions 18.11.3, 18.10.6, and 18.9.7. These vulnerabilities include high-severity Cross-Site Scripting (XSS) and Denial of Service (DoS) flaws that could jeopardize thousands of installations. The most significant portion of this update focuses on several high-severity XSS vulnerabilities, many carrying a CVSS score of 8.7, which reside in common features like analytics dashboards and global search. These flaws could allow attackers to execute arbitrary JavaScript in the browsers of other users, posing a significant risk to business operations and data confidentiality.[emaillocker id="1283"]

• CVE-2026-7481 with a CVSS score of 8.7 – This vulnerability allows authenticated users with developer-role permissions to execute scripts by exploiting how charts and dashboards render data in the analytics dashboard feature.
• CVE-2026-7377 with a CVSS score of 8.7 – This flaw also resides in the analytics dashboard and allows authenticated developers to execute scripts by exploiting how charts and dashboards render data.
• CVE-2026-5297 with a CVSS score of 8.7 – This vulnerability impacts both CE and EE and allows for script execution through malicious search queries in the global search feature.
• CVE-2026-6073 – This flaw affects the Duo Agent and allows attackers to execute scripts through improperly sanitized AI output rendering.
• CVE-2026-6335 – This vulnerability affects the Banzai markdown sanitizer and allows attackers to execute scripts through improperly sanitized markdown.
• CVE-2026-1659 – This flaw allows unauthenticated users to trigger a Denial of Service (DoS) by sending specially crafted requests or JSON payloads to the CI/CD job update API.
• CVE-2025-14870 – This vulnerability also allows unauthenticated users to trigger a DoS by sending specially crafted requests or JSON payloads to the Duo Workflows API.
• CVE-2026-8280 – This flaw allows authenticated users to crash a system by causing excessive memory consumption through a malicious CSV parser used in direct transfers.
• CVE-2026-4524 – This vulnerability allows authenticated users to view confidential issue content in public projects due to gaps in authorization checks.
• CVE-2025-13874 – This flaw allows authenticated users to access issues in projects they were not authorized to enter due to gaps in authorization checks.
• CVE-2026-3607 – This vulnerability allows users with developer-role permissions to bypass safeguards and upload restricted packages through flaws in Helm protection rules.
• CVE-2026-3073 – This flaw allows users with developer-role permissions to bypass safeguards and upload restricted packages through flaws in PyPI package protection rules.

The identified vulnerabilities pose a significant risk to business operations and data confidentiality. If exploited, these vulnerabilities could lead to unauthorized access, data breaches, and system crashes, ultimately resulting in financial losses, reputational damage, and compromised business continuity.

RECOMMENDATION:

• We recommend you to update GitLab to version 18.11.3, 18.10.6, or 18.9.7.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/gitlab-security-update-xss-dos-vulnerabilities-may-2026/