PatchSiren cyber security CVE debrief
CVE-2026-9204 GitLab CVE debrief
CVE-2026-9204 is a vulnerability in GitLab CE/EE that could allow an authenticated user to read arbitrary files from the Gitaly server and access internal network resources during repository import. This issue affects versions 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2.
- Vendor
- GitLab
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of GitLab CE/EE versions 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 should be aware of this vulnerability and take necessary actions to remediate it.
Technical summary
The vulnerability is caused by insufficient validation of secondary URLs in GitLab CE/EE. This allows an authenticated user to read arbitrary files from the Gitaly server and access internal network resources during repository import.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 18.10.8, 18.11.5, or 19.0.2 or later
- Refer to vendor documentation for more information: [ref-4](https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/)
Evidence notes
The CVE-2026-9204 record and associated details are sourced from official databases and vendor communications.
Official resources
-
CVE-2026-9204 CVE record
CVE.org
-
CVE-2026-9204 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Source reference
[email protected] - Issue Tracking
CVE-2026-9204 was published on 2026-06-11T12:16:32.983Z and modified on 2026-06-11T17:28:47.560Z.