Arbitrary Script Execution and User Session Vulnerability in GitLab
CVE-2026-6896
8.7HIGH
What is CVE-2026-6896?
An issue in GitLab EE allows an authenticated user with developer-role permissions to execute arbitrary scripts in another user's browser session due to improper sanitization of user-supplied input. This vulnerability affects multiple versions of GitLab, necessitating prompt patching to safeguard against potential exploits that could compromise user sessions and data security.
Affected Version(s)
GitLab 13.11 < 18.11.7
GitLab 19.0 < 19.0.4
GitLab 19.1 < 19.1.2
References
CVSS V3.1
Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Thanks [yvvdwf](https://hackerone.com/yvvdwf) for reporting this vulnerability through our HackerOne bug bounty program