Input Sanitization Flaw in GitLab EE Versions and Developer Role Permissions
CVE-2026-10087
8.7HIGH
What is CVE-2026-10087?
GitLab has addressed a security vulnerability in GitLab EE that affects various versions. This issue arises from improper input sanitization within the Analytics Dashboard, which could potentially enable authenticated users with developer-role permissions to execute arbitrary client-side code on behalf of other targeted users. The flaw highlights the importance of robust input validation to protect against unauthorized actions within the software.
Affected Version(s)
GitLab 17.1 < 18.10.8
GitLab 18.11 < 18.11.5
GitLab 19.0 < 19.0.2
References
CVSS V3.1
Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Thanks [yvvdwf](https://hackerone.com/yvvdwf) for reporting this vulnerability through our HackerOne bug bounty program