Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN619
_____________________________________________________________________

DATE                : 11/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running GitLab versions prior to 19.0.2,
                                   18.11.5, 18.10.8.

=====================================================================
https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-2-released/
_____________________________________________________________________

GitLab Patch Release: 19.0.2, 18.11.5, 18.10.8

On June 10, 2026, we released versions 19.0.2, 18.11.5, 18.10.8 for
GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important bug and security fixes, and we
strongly recommend that all self-managed GitLab installations be
upgraded to one of these versions immediately. GitLab.com is already
running the patched version. GitLab Dedicated customers do not need
to take action.

GitLab releases fixes for vulnerabilities in patch releases. There are
two types of patch releases: scheduled releases and ad-hoc critical
patches for high-severity vulnerabilities. Scheduled releases are
released twice a month on the second and fourth Wednesdays. For more
information, please visit our releases handbook and security FAQ. You
can see all of GitLab release blog posts here.

For security fixes, the issues detailing each vulnerability are made
public on our issue tracker 30 days after the release in which they
were patched.

We are committed to ensuring that all aspects of GitLab that are exposed
to customers or that host customer data are held to the highest
security standards. To maintain good security hygiene, it is highly
recommended that all customers upgrade to the latest patch release for
their supported version. You can read more best practices in securing
your GitLab instance in our blog post.
Recommended action

We strongly recommend that all installations running a version affected
by the issues described below are upgraded to the latest version as soon
as possible.

When no specific deployment type (omnibus, source code, helm chart,
etc.) of a product is mentioned, it means all types are affected.


Security fixes

Table of security fixes

Title	Severity

Improper Access Control issue in Group SAML Identity API impacts
GitLab EE	High

Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE
High

Denial of Service issue in Grape API JSON parsing middleware impacts
GitLab CE/EE	High

HTML injection issue in certain group setting fields impacts GitLab EE
High

Denial of Service issue in Group Placeholder Reassignments API impacts
GitLab CE/EE	Medium

Improper Access Control issue in Merge Requests API impacts GitLab CE/EE
Medium

Server-Side Request Forgery issue in Gitaly repository import impacts
GitLab CE/EE	Medium

HTML injection issue in CI/CD Catalog impacts GitLab CE/EE	Medium

Improper Access Control issue in Security Inventory impacts GitLab EE
Medium

Authorization Bypass issue in Merge Request diff impacts GitLab CE/EE	Low

Improper Access Control issue in Todos API impacts GitLab CE/EE	Low

Improper Neutralization issue in Service Desk email template impacts
GitLab CE/EE	Low

CVE-2026-6552 - Improper Access Control issue in Group SAML Identity
API impacts GitLab EE

GitLab has remediated an issue that under certain conditions could
have allowed an authenticated user with group Owner role to take over
another group member’s GitLab account due to improper authorization
in the Group SAML identity management functionality.

Impacted Versions: GitLab EE: all versions from 15.5 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

Thanks cyberjoker for reporting this vulnerability through our
HackerOne bug bounty program


CVE-2026-10087 - Cross-site Scripting issue in Analytics Dashboard
impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have
allowed an authenticated user with developer-role permissions to execute
arbitrary client-side code on behalf of a targeted user due to improper
input sanitization in the Analytics Dashboard.

Impacted Versions: GitLab EE: all versions from 17.1 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 8.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)

Thanks yvvdwf for reporting this vulnerability through our HackerOne
bug bounty program


CVE-2026-7250 - Denial of Service issue in Grape API JSON parsing
middleware impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have
allowed an unauthenticated user to cause denial of service due to
improper input validation in the API request parsing middleware.

Impacted Versions: GitLab CE/EE: all versions from 12.10 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Thanks svalkanov for reporting this vulnerability through our HackerOne
bug bounty program


CVE-2026-8589 - HTML injection issue in certain group setting fields
impacts GitLab EE

GitLab has remediated an issue that under certain conditions could have
allowed an authenticated user to add unauthorized email addresses to a
targeted user’s account due to improper sanitization of user-supplied
input in certain group setting fields.

Impacted Versions: GitLab EE: all versions from 13.1.4 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 7.3 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug
bounty program

CVE-2026-1500 - Denial of Service issue in Group Placeholder Reassignments
API impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have
allowed an authenticated user to cause denial of service due to uncontrolled
resource consumption when processing a specially crafted file upload.

Impacted Versions: GitLab CE/EE: all versions from 17.10 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Thanks a92847865 for reporting this vulnerability through our HackerOne
bug bounty program

CVE-2026-6269 - Improper Access Control issue in Merge Requests API
impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have
allowed an authenticated user with developer-role permissions to modify
hidden merge requests due to incorrect authorization enforcements.

Impacted Versions: GitLab CE/EE: all versions from 15.10 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Thanks rogerace for reporting this vulnerability through our HackerOne
bug bounty program

CVE-2026-9204 - Server-Side Request Forgery issue in Gitaly repository
import impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have
allowed an authenticated user to read arbitrary files from the Gitaly
server and access internal network resources during repository import,
due to insufficient validation of secondary URLs.

Impacted Versions: GitLab CE/EE: all versions from 18.10 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Thanks AndresAIFR for reporting this vulnerability


CVE-2026-10733 - HTML injection issue in CI/CD Catalog impacts GitLab CE/EE

GitLab has remediated an issue that could have allowed an authenticated
user to cause denial of service on the CI/CD Catalog page due to improper
sanitization.

Impacted Versions: GitLab CE/EE: all versions from 17.0 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

This vulnerability has been discovered internally by GitLab team member
Miguel Jimeno


CVE-2026-6277 - Improper Access Control issue in Security Inventory impacts
GitLab EE

GitLab has remediated an issue that under certain conditions could have
allowed an authenticated user with Security Manager-role permissions to
manage project security configuration even when the relevant feature was
in a disabled state, due to incorrect authorization enforcement.

Impacted Versions: GitLab EE: all versions from 13.9 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Thanks mateuszek for reporting this vulnerability through our HackerOne
bug bounty program


CVE-2026-6976 - Authorization Bypass issue in Merge Request diff impacts
GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have
allowed an authenticated user with developer-role permissions to hide
changes from merge request diff views due to improper input handling of
file names.

Impacted Versions: GitLab CE/EE: all versions from 15.9 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)

Thanks xorz for reporting this vulnerability through our HackerOne
bug bounty program


CVE-2026-3553 - Improper Access Control issue in Todos API impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions could have
allowed an authenticated user to access confidential issue details due
to incorrect authorization checks.

Impacted Versions: GitLab CE/EE: all versions from 12.0 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Thanks go7f0 for reporting this vulnerability through our HackerOne bug
bounty program


CVE-2026-9694 - Improper Neutralization issue in Service Desk email 
impacts GitLab CE/EE

GitLab has remediated an issue that under certain conditions, could
have allowed an unauthenticated user to impersonate the GitLab Support
Bot and inject arbitrary content via a specially crafted
Service Desk email reply due to improper neutralization in email
template processing.

Impacted Versions: GitLab CE/EE: all versions from 15.9 before 18.10.8,
18.11 before 18.11.5, and 19.0 before 19.0.2
CVSS 2.6 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)

Thanks 3nvz for reporting this vulnerability through our HackerOne
bug bounty program


Bug fixes

19.0.2

    Update VERSION files
    Backport of ‘Geo: fix container repository sync for OCI image indexes’
    Backport of ‘Fix MCP tools checkbox visibility for Premium groups’
    Backport of “Move SANDBOX_SYSTEM_DIR to /var/tmp for non-root image compatibility”
    Backport of ‘Ensure uploads.id has the correct default’ into 19-0-stable-ee
    Backport of “fix Session cancel - bypass DuoApiAuthenticator checks for browser requests”
    Backport of “Bump ruby-jwt to 2.10.3” to 19.0
    Backport of “Fix JSON::ParserError escaping safe_parse in DiscussionsDiff::HighlightCache”
    Backport of “Return false when change_position is not in correct format”
    Backport of ‘Fix agentic chat model picker showing SaaS models on self-hosted gateway’
    Update Rails Gems: Backport branch ‘update-activestorage2’ into ‘19-0-stable-ee’
    Backport of ‘Show ultimate_only agents when paid license is present’ to 19.0
    Backport: Allow composite identity SAs to bypass SAML membership lock
    Backport of ‘Allow job token basic auth for generic package upload’ to 19.0
    Backport of “Exclude invalid custom instructions from code review context”
    Update dependency oj to v3.17.3
    Backport of “Make CI cache limit per job configurable by admins”
    19-0 Stable Bump Container Registry to v4.40.1-gitlab
    [19.0 Backport] Fix: don’t set deprecated registry threshold when maxretries is configured
    Backport the Golang upgrade 1.25.9 to 19-0

18.11.5

    [backport] praefect: Add configurable health check ping timeout option
    Enhance DNS rebinding protection in VirtualRegistries RedirectHandler
    Backport of ‘Geo: fix container repository sync for OCI image indexes’
    Backport of ‘Fix MCP tools checkbox visibility for Premium groups’
    Backport of ‘Ensure uploads.id has the correct default’ into 18-11-stable-ee
    Backport of “Fix JSON::ParserError escaping safe_parse in DiscussionsDiff::HighlightCache”
    Backport of “Bump ruby-jwt to 2.10.3” to 18.11
    Backport of “Return false when change_position is not in correct format”
    Backport of ‘Fix agentic chat model picker showing SaaS models on self-hosted gateway’
    Backport of “Check if MR should be created ahead of forking”
    Update Rails Gems: Backport branch ‘update-activestorage2’ into ‘18-11-stable-ee’
    Backport of ‘Show ultimate_only agents when paid license is present’ to 18.11
    Backport of “Make CI cache limit per job configurable by admins”
    Update dependency oj to v3.17.3
    [18.11] Mattermost Security Updates May 27, 2026
    [18.11 Backport] Fix: don’t set deprecated registry threshold when maxretries is configured
    Backport Ubuntu 22.04 FIPS to 18.11

18.10.8

    Filter out non-user-defined rules on approval update
    Backport of ‘Geo: fix container repository sync for OCI image indexes’
    Backport of ‘Fix MCP tools checkbox visibility for Premium groups’
    Backport of “Bump ruby-jwt to 2.10.3” to 18.10
    Backport of “Fix JSON::ParserError escaping safe_parse in DiscussionsDiff::HighlightCache”
    Backport of “Return false when change_position is not in correct format”
    Update Rails Gems: Backport branch ‘update-activestorage2’ into ‘18-10-stable-ee’
    Backport of ‘Allow job token basic auth for generic package upload’ to 18.10
    Update dependency oj to v3.17.3
    Backport of “Make CI cache limit per job configurable by admins”
    Merge branch ‘jk/update-test-certificates’ into ‘master’
    [18.10] Mattermost Security Updates May 21, 2026
    [18.10] Mattermost Security Updates May 27, 2026
    [18.10 Backport] Fix: don’t set deprecated registry threshold when maxretries is configured


Important notes on upgrading

This patch includes database migrations that may impact your upgrade process.
Impact on your installation:

    Single-node instances: This patch will cause downtime during the
upgrade as migrations must complete before GitLab can start.

    Multi-node instances: With proper zero-downtime upgrade procedures,
this patch can be applied without downtime.


Post-deploy migrations

The following versions include post-deploy migrations that can run after
the upgrade:

    19.0.2
    18.11.5

To learn more about the impact of upgrades on your installation, see:

    Zero-downtime upgrades for multi-node deployments
    Standard upgrades for single-node installations

Updating

To update GitLab, see the Update page. To update GitLab Runner, see the
Updating the Runner page.


Receive patch notifications

To receive patch blog notifications delivered to your inbox, visit our
contact us page. To receive release notifications via RSS, subscribe to
our patch release RSS feed or our RSS feed for all releases.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================