Client-Side Code Execution Vulnerability in GitLab EE
CVE-2026-10086

8.7HIGH

Key Information:

Vendor

Gitlab

Status
Vendor
CVE Published:
25 June 2026

What is CVE-2026-10086?

An issue in GitLab EE has been identified that allows an authenticated user with developer-role permissions to execute arbitrary client-side code in another user's session. This is due to improper sanitization of user-supplied input, potentially exposing users to risks. Affected versions include GitLab EE from 16.4 up until 18.11.6, as well as 19.0 prior to 19.0.3 and 19.1 before 19.1.1, prompting immediate patching to safeguard session integrity.

Affected Version(s)

GitLab 16.4 < 18.11.6

GitLab 19.0 < 19.0.3

GitLab 19.1 < 19.1.1

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [yvvdwf](https://hackerone.com/yvvdwf) for reporting this vulnerability through our HackerOne bug bounty program
.