GitLab patches CSRF and XSS flaws enabling token theft and browser-side code execution
GitLab disclosed and remediated three high-severity vulnerabilities in GitLab CE/EE that could be exploited by unauthenticated attackers under certain conditions. CVE-2026-4922 is a cross-site request forgery flaw (CWE-352) that could let an attacker trigger GraphQL mutations as an authenticated user, while CVE-2026-5262 is a cross-site scripting issue (CWE-79) that could expose tokens in the Storybook development environment. GitLab also fixed CVE-2026-5816, an improper path validation flaw (CWE-41) that could allow arbitrary JavaScript execution in a victim’s browser session.
The issues affect multiple GitLab CE/EE release lines, with patched versions identified as 18.9.6, 18.10.4, and 18.11.1 depending on the flaw. CVE-2026-4922 affects versions from 17.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1; CVE-2026-5262 affects versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1; and CVE-2026-5816 affects 18.10 before 18.10.4 and 18.11 before 18.11.1. The vulnerabilities carry CVSS v3.1 ratings reflecting high confidentiality and integrity impact, and GitLab linked the disclosures to its patch release notice, internal work items, and HackerOne reports.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE record for CVE-2026-4922 is received by GitLab CNA
The CVE entry for CVE-2026-4922 was newly received by cve@gitlab.com, indicating formal CVE intake for the CSRF issue affecting GitLab CE/EE. The record tied the vulnerability to GitLab's April 22 patch release and related disclosure artifacts.
GitLab publicly discloses CVE-2026-4922, CVE-2026-5262, and CVE-2026-5816
GitLab disclosed details for three high-severity vulnerabilities on April 22, 2026, including affected versions, impact, CWE classifications, and CVSS vectors. The disclosures stated the flaws had been remediated and referenced GitLab patch release notes, internal work items, and HackerOne reports.
GitLab releases patches for three CE/EE vulnerabilities
GitLab issued patched releases 18.9.6, 18.10.4, and 18.11.1 to remediate three vulnerabilities affecting GitLab CE/EE: CVE-2026-4922 (CSRF in GraphQL mutations), CVE-2026-5262 (XSS/input validation issue exposing tokens in Storybook), and CVE-2026-5816 (path equivalence issue enabling arbitrary JavaScript execution). The fixes covered affected version ranges spanning 16.1.0 through 18.11 depending on the flaw.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-4922 - Cross-Site Request Forgery (CSRF) in GitLab
cvefeed.io
Open sourceCVE-2026-5262 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
cvefeed.io
Open sourceCVE-2026-5816 - Improper Resolution of Path Equivalence in GitLab
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitLab Patches CSRF and WebSocket Access Control Flaws in CE/EE
GitLab disclosed and remediated two high-severity vulnerabilities in GitLab CE/EE that could expose sensitive data and enable unauthorized actions. **CVE-2026-3857** is a `CWE-352` cross-site request forgery flaw in GitLab GraphQL functionality caused by insufficient CSRF protection, allowing an unauthenticated attacker to trigger arbitrary GraphQL mutations on behalf of an authenticated user if that user can be induced to interact. The issue affects versions from `17.10` before `18.8.7`, `18.9` before `18.9.3`, and `18.10` before `18.10.1`. GitLab also fixed **CVE-2026-5173**, a `CWE-749` improper access control issue that lets an authenticated user invoke unintended server-side methods over websocket connections. That flaw affects versions from `16.9.6` before `18.8.9`, `18.9` before `18.9.5`, and `18.10` before `18.10.3`, with GitLab rating it as network-exploitable with low attack complexity and significant confidentiality impact. GitLab published patch release information and related work items for both vulnerabilities, urging customers to update affected self-managed deployments to the fixed releases.
Apr 9, 2026
GitLab Patches XSS and API Denial-of-Service Vulnerabilities in CE/EE
GitLab released security updates for **GitLab Community Edition (CE)** and **Enterprise Edition (EE)**, shipping patched versions **18.9.2**, **18.8.6**, and **18.7.6** to address multiple vulnerabilities affecting self-managed deployments. The Canadian Centre for Cyber Security issued advisory **AV26-222** urging organizations to review GitLab’s upstream advisory and apply the updates for any instances running versions prior to those releases. The update fixes **15 security issues**, including a high-severity **XSS** vulnerability (**CVE-2026-1090**, CVSS 8.7) in Markdown placeholder processing when the relevant feature flag is enabled, which could allow an authenticated attacker to inject malicious JavaScript into a victim’s browser. GitLab also addressed several **denial-of-service** conditions, including issues impacting the **GraphQL API** (resource exhaustion via recursion), repository archive endpoints, and JSON payload validation in the protected branches API; additional fixes include webhook-related DoS risks (e.g., **CVE-2025-13690**, **CVE-2025-12576**) and a **CRLF sequence** handling issue (**CVE-2026-3848**).
Mar 27, 2026
GitLab patches 11 flaws including account takeover and XSS in CE and EE
GitLab released **19.0.2**, **18.11.5**, and **18.10.8** for self-managed Community Edition and Enterprise Edition deployments to fix **11 security vulnerabilities** and additional bugs, and urged administrators to upgrade immediately. The advisory says all versions before those releases are affected, while **GitLab.com** has already been patched and **GitLab Dedicated** customers do not need to take action. GitLab also warned that the update includes database migrations that may cause downtime on single-node instances, though multi-node environments can use zero-downtime upgrade procedures. The most severe issue, **`CVE-2026-6552`** (**CVSS 8.7**), is an improper authorization flaw in GitLab EE's Group SAML identity management that could let an authenticated **group Owner** take over another group member's account under certain conditions. GitLab also fixed **`CVE-2026-10087`**, an Analytics Dashboard cross-site scripting flaw in GitLab EE that could allow an authenticated **developer** to execute arbitrary client-side code in a victim's browser. The broader patch set addresses additional risks including denial of service in Grape API JSON parsing, SSRF, unauthorized access to confidential data, and other authorization bypasses, and government and vendor advisories have called on organizations to apply the patched versions.
Jun 11, 2026