GitLab Patches Code Execution, Information Disclosure Vulnerabilities

  Rassegna Stampa, Security
image_pdfimage_print

GitLab has rolled out Community Edition (CE) and Enterprise Edition (EE) security updates that resolve 13 vulnerabilities, including three high-severity bugs.

The most severe is CVE-2026-10086, an XSS flaw in the Analytics dashboard of GitLab EE, rooted in the improper sanitization of user-supplied input.

According to GitLab, the security defect could have allowed an authenticated user with developer rights to execute arbitrary client-side code in the context of other users’ sessions.

Next in line is CVE-2026-10712, an XSS in the Web IDE workbench asset handler that could have allowed unauthenticated attackers to execute JavaScript code in users’ browser sessions.

The third high-severity vulnerability is CVE-2026-12053, described as an insufficient output filtering in Duo Workflows, which could have allowed users to access sensitive information already committed to a project.

The fresh GitLab CE/EE updates also resolve seven medium-severity flaws, including authorization bypass, incorrect authorization, insufficient filtering, improper input validation, and improper access control issues.

Advertisement. Scroll to continue reading.

Successful exploitation of these bugs could have led to settings tampering, confidential information disclosure, DAST site profile secrets exfiltration, sensitive information being written to logs, content concealment, Maven package metadata overwrite, and package metadata disclosure.

Patches for all these flaws were included in GitLab CE/EE versions 19.1.1, 19.0.3, and 18.11.6. Users are advised to update their deployments as soon as possible.

“These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version,” GitLab notes.

Related: 25-Year-Old Vulnerability Patched in Curl

Related: Chrome 149 Update Resolves 18 Severe Vulnerabilities

Related: Exclusive: Meet AIVEX, a New Triage Model Built to Reduce Supply Chain Threat and Risk

Related: New Exploit Bypasses Apple’s Boot Defenses, Affects Millions of iPhones

https://www.securityweek.com/gitlab-patches-code-execution-information-disclosure-vulnerabilities/