Remote Code Execution Vulnerability in GitLab by GitLab Inc.
CVE-2025-13761

8HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 9 January 2026

What is CVE-2025-13761?

A vulnerability in GitLab CE/EE versions prior to 18.6.3 and 18.7.1 allowed an unauthenticated user to exploit the session of an authenticated user. By tricking the legitimate user into visiting a specially crafted webpage, it was possible for the attacker to execute arbitrary code within the context of the user's session. This presents a significant risk, potentially leading to unauthorized access and data breaches.

Affected Version(s)

GitLab 18.6 < 18.6.3

GitLab 18.7 < 18.7.1

References

https://gitlab.com/gitlab-org/gitlab/-/issues/582237

issue-trackingpermissions-required

https://hackerone.com/reports/3441368

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/01/07/patch-releas...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 9, 2026
Vulnerability Reserved
Nov 26, 2025

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program

JSON

Gitlab

What is CVE-2025-13761?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit