Improper Input Validation Vulnerability in GitLab by GitLab
CVE-2026-5262

8HIGH

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-5262?

An improper input validation vulnerability in GitLab CE/EE could allow unauthenticated users to access sensitive tokens in the Storybook development environment. This issue affects multiple versions of GitLab, making it crucial for users to apply the latest updates to safeguard their systems. The vulnerability arises under specific conditions, requiring immediate attention from GitLab administrators to mitigate potential security risks.

Affected Version(s)

GitLab 16.1.0 < 18.9.6

GitLab 18.10 < 18.10.4

GitLab 18.11 < 18.11.1

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/595332

https://hackerone.com/reports/3574642

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/04/22/patch-releas...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 31, 2026

Credit

Thanks [joaxcar](https://hackerone.com/joaxcar) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-5262 Data

JSON

Gitlab

What is CVE-2026-5262?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit