NCSC-2026-0222

Vulnerability from csaf_ncscnl - Published: 2026-07-10 05:48 - Updated: 2026-07-10 05:48
Summary
Kwetsbaarheden verholpen in GitLab Enterprise Edition en Community Edition
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: GitLab heeft meerdere kwetsbaarheden verholpen in GitLab Enterprise Edition (EE) en Community Edition (CE) in versies variërend van 9.1 tot voor 18.11.7, 19.0 tot voor 19.0.4, en 19.1 tot voor 19.1.2.
Interpretaties: De kwetsbaarheden betreffen onder andere: - Het creëren van repositories met discrepanties tussen de webinterface en de daadwerkelijke downloadbare bestanden door onjuiste verwerking van Git reference names. - Onvoldoende autorisatiecontroles in GraphQL-operaties waardoor gebruikers met auditor-permissies compliance violation records kunnen aanpassen. - Cross-site scripting (XSS) waarbij gebruikers met developer-permissies kwaadaardige scripts kunnen injecteren in de browser van andere gebruikers door onjuiste inputsanitatie. - Ongeautoriseerde detectie van private projecten door onbevoegde gebruikers via cross-project reference pages. - Bypass van autorisatiecontroles waardoor gebruikers met minimale toegangsrechten metadata van werkitems in private projecten kunnen inzien. - Toegang tot opgeslagen credentials van andere gebruikers door maintainers via onvoldoende toegangsbeperkingen. - Ongeautoriseerde wijziging van groepsinstellingen door foutieve autorisatiecontroles op groepsniveau. Deze kwetsbaarheden maken het mogelijk voor gebruikers met verschillende toegangsrechten om acties uit te voeren of informatie in te zien die normaal gesproken beperkt zou moeten zijn, door het omzeilen van autorisatiecontroles of het misbruiken van onjuiste inputverwerking.
Oplossingen: GitLab heeft updates en patches uitgebracht voor de genoemde versies van de GitLab Editions om deze kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-522: Insufficiently Protected Credentials
CWE-706: Use of Incorrectly-Resolved Name or Reference
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization

GitLab fixed a vulnerability in multiple versions where authenticated users could create repositories with inconsistent content between the web interface and downloadable files due to improper Git reference name resolution.

CWE-706 - Use of Incorrectly-Resolved Name or Reference
Affected products
Product Identifier Version Remediation
vers:unknown/*
GitLab / GitLab
vers:unknown/*

GitLab EE versions before 18.11.7, 19.0.4, and 19.1.2 contained a vulnerability allowing authenticated users with auditor-level access to improperly modify compliance violation records via certain GraphQL operations due to insufficient authorization.

CWE-863 - Incorrect Authorization
Affected products
Product Identifier Version Remediation
vers:unknown/*
GitLab / GitLab
vers:unknown/*

GitLab addressed a security flaw in specific GitLab EE versions where authenticated users with developer rights could execute arbitrary scripts in other users' browsers due to insufficient input sanitization.

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
Product Identifier Version Remediation
vers:unknown/*
GitLab / GitLab
vers:unknown/*

GitLab addressed a security flaw in versions 9.1 through before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that allowed unauthenticated users to detect private project existence via improper authorization on cross-project reference pages.

CWE-862 - Missing Authorization
Affected products
Product Identifier Version Remediation
vers:unknown/*
GitLab / GitLab
vers:unknown/*

GitLab addressed a security vulnerability in multiple GitLab EE versions that allowed authenticated users with minimal access to read private project work item metadata due to missing authorization checks.

CWE-862 - Missing Authorization
Affected products
Product Identifier Version Remediation
vers:unknown/*
GitLab / GitLab
vers:unknown/*

GitLab Enterprise Edition versions prior to 18.11.7, 19.0.4, and 19.1.2 contained an authorization vulnerability allowing authenticated maintainers to access other users' stored credentials.

CWE-522 - Insufficiently Protected Credentials
Affected products
Product Identifier Version Remediation
vers:unknown/*
GitLab / GitLab
vers:unknown/*

GitLab EE versions 16.10 to before 18.11.7, 19.0 to before 19.0.4, and 19.1 to before 19.1.2 contained an authorization flaw allowing authenticated users to improperly modify group-level settings, which has been fixed by GitLab.

CWE-863 - Incorrect Authorization
Affected products
Product Identifier Version Remediation
vers:unknown/*
GitLab / GitLab
vers:unknown/*

GitLab versions 15.7 to before 18.11.7, 19.0 to before 19.0.4, and 19.1 to before 19.1.2 contained a vulnerability allowing authenticated users to execute arbitrary scripts in other users' browsers due to improper input sanitization.

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
Product Identifier Version Remediation
vers:unknown/*
GitLab / GitLab
vers:unknown/*

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "GitLab heeft meerdere kwetsbaarheden verholpen in GitLab Enterprise Edition (EE) en Community Edition (CE) in versies vari\u00ebrend van 9.1 tot voor 18.11.7, 19.0 tot voor 19.0.4, en 19.1 tot voor 19.1.2.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden betreffen onder andere: \n- Het cre\u00ebren van repositories met discrepanties tussen de webinterface en de daadwerkelijke downloadbare bestanden door onjuiste verwerking van Git reference names.\n- Onvoldoende autorisatiecontroles in GraphQL-operaties waardoor gebruikers met auditor-permissies compliance violation records kunnen aanpassen.\n- Cross-site scripting (XSS) waarbij gebruikers met developer-permissies kwaadaardige scripts kunnen injecteren in de browser van andere gebruikers door onjuiste inputsanitatie.\n- Ongeautoriseerde detectie van private projecten door onbevoegde gebruikers via cross-project reference pages.\n- Bypass van autorisatiecontroles waardoor gebruikers met minimale toegangsrechten metadata van werkitems in private projecten kunnen inzien.\n- Toegang tot opgeslagen credentials van andere gebruikers door maintainers via onvoldoende toegangsbeperkingen.\n- Ongeautoriseerde wijziging van groepsinstellingen door foutieve autorisatiecontroles op groepsniveau.\nDeze kwetsbaarheden maken het mogelijk voor gebruikers met verschillende toegangsrechten om acties uit te voeren of informatie in te zien die normaal gesproken beperkt zou moeten zijn, door het omzeilen van autorisatiecontroles of het misbruiken van onjuiste inputverwerking.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "GitLab heeft updates en patches uitgebracht voor de genoemde versies van de GitLab Editions om deze kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      },
      {
        "category": "general",
        "text": "Insufficiently Protected Credentials",
        "title": "CWE-522"
      },
      {
        "category": "general",
        "text": "Use of Incorrectly-Resolved Name or Reference",
        "title": "CWE-706"
      },
      {
        "category": "general",
        "text": "Missing Authorization",
        "title": "CWE-862"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference",
        "url": "https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/"
      }
    ],
    "title": "Kwetsbaarheden verholpen in GitLab Enterprise Edition en Community Edition",
    "tracking": {
      "current_release_date": "2026-07-10T05:48:41.218196Z",
      "generator": {
        "date": "2025-08-04T16:30:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.3"
        }
      },
      "id": "NCSC-2026-0222",
      "initial_release_date": "2026-07-10T05:48:41.218196Z",
      "revision_history": [
        {
          "date": "2026-07-10T05:48:41.218196Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/*",
                "product": {
                  "name": "vers:unknown/*",
                  "product_id": "CSAFPID-1"
                }
              }
            ],
            "category": "product_name",
            "name": "GitLab"
          }
        ],
        "category": "vendor",
        "name": "GitLab"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-12506",
      "cwe": {
        "id": "CWE-706",
        "name": "Use of Incorrectly-Resolved Name or Reference"
      },
      "notes": [
        {
          "category": "other",
          "text": "Use of Incorrectly-Resolved Name or Reference",
          "title": "CWE-706"
        },
        {
          "category": "description",
          "text": "GitLab fixed a vulnerability in multiple versions where authenticated users could create repositories with inconsistent content between the web interface and downloadable files due to improper Git reference name resolution.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-12506 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-12506.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2025-12506"
    },
    {
      "cve": "CVE-2026-6352",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "other",
          "text": "Authorization Bypass Through User-Controlled Key",
          "title": "CWE-639"
        },
        {
          "category": "description",
          "text": "GitLab EE versions before 18.11.7, 19.0.4, and 19.1.2 contained a vulnerability allowing authenticated users with auditor-level access to improperly modify compliance violation records via certain GraphQL operations due to insufficient authorization.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-6352 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-6352.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2026-6352"
    },
    {
      "cve": "CVE-2026-6896",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        },
        {
          "category": "description",
          "text": "GitLab addressed a security flaw in specific GitLab EE versions where authenticated users with developer rights could execute arbitrary scripts in other users\u0027 browsers due to insufficient input sanitization.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-6896 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-6896.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2026-6896"
    },
    {
      "cve": "CVE-2026-7492",
      "cwe": {
        "id": "CWE-862",
        "name": "Missing Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Authorization",
          "title": "CWE-862"
        },
        {
          "category": "description",
          "text": "GitLab addressed a security flaw in versions 9.1 through before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that allowed unauthenticated users to detect private project existence via improper authorization on cross-project reference pages.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-7492 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-7492.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2026-7492"
    },
    {
      "cve": "CVE-2026-8472",
      "cwe": {
        "id": "CWE-862",
        "name": "Missing Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Authorization",
          "title": "CWE-862"
        },
        {
          "category": "description",
          "text": "GitLab addressed a security vulnerability in multiple GitLab EE versions that allowed authenticated users with minimal access to read private project work item metadata due to missing authorization checks.",
          "title": "Summary"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-8472 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-8472.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2026-8472"
    },
    {
      "cve": "CVE-2026-11827",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "notes": [
        {
          "category": "other",
          "text": "Insufficiently Protected Credentials",
          "title": "CWE-522"
        },
        {
          "category": "other",
          "text": "Incorrect Privilege Assignment",
          "title": "CWE-266"
        },
        {
          "category": "description",
          "text": "GitLab Enterprise Edition versions prior to 18.11.7, 19.0.4, and 19.1.2 contained an authorization vulnerability allowing authenticated maintainers to access other users\u0027 stored credentials.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-11827 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-11827.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2026-11827"
    },
    {
      "cve": "CVE-2026-13151",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "notes": [
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "description",
          "text": "GitLab EE versions 16.10 to before 18.11.7, 19.0 to before 19.0.4, and 19.1 to before 19.1.2 contained an authorization flaw allowing authenticated users to improperly modify group-level settings, which has been fixed by GitLab.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-13151 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-13151.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2026-13151"
    },
    {
      "cve": "CVE-2026-13320",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        },
        {
          "category": "description",
          "text": "GitLab versions 15.7 to before 18.11.7, 19.0 to before 19.0.4, and 19.1 to before 19.1.2 contained a vulnerability allowing authenticated users to execute arbitrary scripts in other users\u0027 browsers due to improper input sanitization.",
          "title": "Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-13320 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2026/cve-2026-13320.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1"
          ]
        }
      ],
      "title": "CVE-2026-13320"
    }
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…