PatchSiren cyber security CVE debrief
CVE-2026-6976 GitLab CVE debrief
CVE-2026-6976 is a low-severity vulnerability in GitLab CE/EE that could allow an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names. The vulnerability affects GitLab versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2.
- Vendor
- GitLab
- Product
- Unknown
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of GitLab CE/EE versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 should be aware of this vulnerability and take steps to remediate it.
Technical summary
The vulnerability is caused by improper input handling of file names in GitLab CE/EE. An authenticated user with developer-role permissions could potentially hide changes from merge request diff views.
Defensive priority
Low
Recommended defensive actions
- Upgrade to GitLab version 18.10.8, 18.11.5, or 19.0.2 or later.
- Review and apply patches as described in the release notes: resourceLinkAnnotations with id 'ref-4'.
Evidence notes
The CVE record and NVD detail can be found at: resourceLinkAnnotations with ids 'cve-org' and 'nvd'.
Official resources
-
CVE-2026-6976 CVE record
CVE.org
-
CVE-2026-6976 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Source reference
[email protected] - Issue Tracking
-
Source reference
[email protected] - Permissions Required
CVE-2026-6976 was published on 2026-06-11T12:16:32.467Z and modified on 2026-06-11T17:34:47.923Z.