Arbitrary Code Execution Vulnerability in GitLab CE/EE
CVE-2026-6335

5.4MEDIUM

Key Information:

Vendor: Gitlab
Status: Gitlab
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6335?

A security issue in GitLab CE/EE allows an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization of input. This vulnerability affects all versions from 18.11 prior to 18.11.3 and poses a risk of unauthorized actions being carried out on behalf of other users, potentially leading to data exposure or further exploitation within the application context.

Affected Version(s)

GitLab 18.11 < 18.11.3

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/596760

https://hackerone.com/reports/3673647

technical-descriptionexploitpermissions-required

https://about.gitlab.com/releases/2026/05/13/patch-releas...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

Thanks [toofikz](https://hackerone.com/toofikz) for reporting this vulnerability through our HackerOne bug bounty program

CVE-2026-6335 Data

JSON