Unauthorized Email Address Injection in GitLab EE
CVE-2026-8589

7.3HIGH

Key Information:

Vendor

Gitlab

Status
Vendor
CVE Published:
11 June 2026

What is CVE-2026-8589?

A significant vulnerability in GitLab EE allows authenticated users to manipulate certain group settings, potentially leading to unauthorized email addresses being added to a user's account. This issue arises from insufficient sanitization of user-inputted data. Affected versions encompass a range of releases, mandating swift updates to safeguard user accounts against such exploits.

Affected Version(s)

GitLab 13.1.4 < 18.10.8

GitLab 18.11 < 18.11.5

GitLab 19.0 < 19.0.2

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks [go7f0](https://hackerone.com/go7f0) for reporting this vulnerability through our HackerOne bug bounty program
.