These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-9694 is a vulnerability in GitLab CE/EE that could allow an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply. This issue is due to improper neutralization in email template processing and affects versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2.
CVE-2026-9204 is a vulnerability in GitLab CE/EE that could allow an authenticated user to read arbitrary files from the Gitaly server and access internal network resources during repository import. This issue affects versions 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an unauthenticated user to cause denial of service due to improper input validation in the API request parsing middleware.
CVE-2026-6976 is a low-severity vulnerability in GitLab CE/EE that could allow an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names. The vulnerability affects GitLab versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2.
CVE-2026-6552 is a HIGH-severity vulnerability in GitLab EE's Group SAML identity management functionality. An authenticated user with the Group Owner role could, under certain conditions, take over another group member's GitLab account due to improper authorization.
CVE-2026-6269 is a medium-severity vulnerability in GitLab CE/EE that could allow an authenticated user with developer-role permissions to modify hidden merge requests due to incorrect authorization enforcements. The vulnerability affects all versions from 15.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2.
CVE-2026-3553 is a low-severity vulnerability in GitLab CE/EE that could allow an authenticated user to access confidential issue details due to incorrect authorization checks. The issue affects all versions from 12.0 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2.
CVE-2026-1500 is a medium-severity vulnerability affecting GitLab CE/EE versions from 17.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. The issue could allow an authenticated user to cause denial of service due to uncontrolled resource consumption when processing a specially crafted file upload. The CVSS score for this vulnerability is 6.5, indicating a medium severity.
CVE-2026-10087 is a HIGH-severity vulnerability in GitLab EE. An authenticated user with developer-role permissions could execute arbitrary client-side code on behalf of a targeted user due to improper input sanitization in the Analytics Dashboard. The CVSS score is 8.7.
GitLab has remediated an authorization enforcement flaw in GitLab CE/EE where blocked Project Access Tokens could, under certain conditions, continue accessing private resources. The vulnerability affects versions 18.9 through 18.10.6, 18.11 through 18.11.3, and 19.0. Patched versions are 18.10.7, 18.11.4, and 19.0.1. The issue was reported through HackerOne and assigned CWE-863 (Incorrect Authorization). [truncated]
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.7 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an authenticated user to access CI data from a different ref type than intended.
GitLab has remediated an authorization bypass vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) that could allow unauthorized users to enumerate private projects. The issue stems from incorrect authorization checks under certain conditions. The vulnerability affects versions 18.2 through 18.10.6, 18.11 through 18.11.3, and version 19.0.0. GitLab released patches on May 27, 2026 in [truncated]
GitLab Enterprise Edition (EE) contains an authorization bypass vulnerability affecting the foundational flows feature. When foundational flows are enabled at the group level, an authenticated user with Developer role permissions can bypass flow restrictions under specific conditions. The vulnerability stems from missing authorization checks (CWE-862) in the flow enforcement logic. This is rated MEDIUM se [truncated]
GitLab has remediated an identity confusion vulnerability in GitLab Enterprise Edition (EE) affecting versions 18.8 through 18.10.6, 18.11 through 18.11.3, and 19.0.0. The flaw, rated HIGH severity (CVSS 8.2), stems from CWE-639: Authorization Bypass Through User-Controlled Key. Under specific conditions, an authenticated attacker could cause Duo AI workflow runners to execute under another user's identit [truncated]
GitLab has remediated an authorization bypass vulnerability in GitLab Enterprise Edition (EE) that could allow authenticated users with developer-role permissions to access sensitive deployment data on projects. The issue stems from improper authorization checks (CWE-862) and affects versions from 11.5 through 18.10.6, 18.11.0 through 18.11.3, and 19.0.0. GitLab released patches on May 27, 2026 in version [truncated]
GitLab has remediated a denial-of-service vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE). The issue, assigned CVSS 3.1 score 6.5 (Medium), stems from insufficient validation that could allow an authenticated user to cause denial of service under certain conditions. The vulnerability affects all versions from 17.1 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1. Git [truncated]
A low-severity vulnerability was discovered in GitLab EE, affecting versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3. The issue allowed an authenticated user with Maintainer permissions to modify or delete project approval rules due to missing authorization checks when instance-level approval rule editing prevention was enabled.
CVE-2021-22175 is a GitLab server-side request forgery (SSRF) vulnerability that CISA has added to its Known Exploited Vulnerabilities catalog. That KEV listing means organizations using GitLab should treat this as a priority remediation item and follow the vendor’s mitigation guidance as soon as possible. The supplied source corpus does not include version ranges, exploitation details, or impact specific [truncated]
CVE-2021-39935 is a server-side request forgery (SSRF) vulnerability affecting GitLab Community and Enterprise Editions. CISA lists it in the Known Exploited Vulnerabilities catalog, so defenders should treat it as actively exploited and prioritize remediation. The supplied corpus does not include affected version ranges or CVSS scoring, so version-specific exposure should be confirmed against the officia [truncated]
CVE-2023-7028 is a GitLab Community and Enterprise Editions improper access control vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2024-05-01. Because it is listed in KEV, defenders should treat it as an urgent patch-or-mitigate issue for any GitLab CE/EE deployment, especially externally reachable instances. CISA’s guidance is to apply vendor mitigations or discontinue us [truncated]
CVE-2021-22205 is a GitLab Community and Enterprise Editions remote code execution vulnerability that CISA added to its Known Exploited Vulnerabilities catalog on 2021-11-03. Because CISA also marks the issue as having known ransomware campaign use, it should be treated as an immediate patching priority for any affected GitLab deployment.
CVE-2016-4340 describes a GitLab impersonation issue in which a remote authenticated user could "log in" as another user through unspecified vectors. NVD rates the issue HIGH (CVSS 3.0 8.8) with network attack scope, low complexity, and no user interaction. The affected range in the NVD corpus spans GitLab 8.2.0 through 8.7.0. Because the issue enables account impersonation, it should be treated as a high [truncated]