CVE-2020-26407
Description
A XSS vulnerability exists in Gitlab CE/EE from 12.4 before 13.4.7, 13.5 before 13.5.5, and 13.6 before 13.6.2 that allows an attacker to perform cross-site scripting to other users via importing a malicious project
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in GitLab CE/EE via project import allows attackers to execute arbitrary JavaScript by crafting a malicious Zoom meeting URL.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in GitLab Community Edition (CE) and Enterprise Edition (EE) versions 12.4 through 13.4.7, 13.5.0 through 13.5.5, and 13.6.0 through 13.6.2. The issue is in the ZoomUrlValidator, which only checks that the Zoom URL field contains a valid Zoom URL (using the ZoomLinkExtractor regex) rather than ensuring the entire value is a valid URL. This allows an attacker to import a malicious project with an issue that includes a crafted Zoom meeting URL, such as javascript:alert(document.domain);//https://zoom.us/my/5556, which passes validation and is stored as the href of the "Join Zoom meeting" link [1].
Exploitation
An attacker must have the ability to create or modify a project export and then import it into a GitLab instance. The steps are: (1) create a new project and add an issue, (2) add a comment with /zoom https://zoom.us/my/5556 to add a Zoom meeting, (3) export the project, (4) modify the url attribute of the Zoom meeting in the exported project.json file to contain the XSS payload (e.g., javascript:alert(document.domain);//https://zoom.us/my/5556), and (5) import the modified project. When a victim views the issue and clicks (or command-clicks in Chrome/Firefox, or left-clicks in Safari/Edge) the "Join Zoom meeting" link, the JavaScript payload executes in their session [1].
Impact
Successful exploitation results in arbitrary JavaScript execution in the victim's browser within the context of the GitLab session. This can lead to data theft (e.g., session cookies, tokens), manipulation of page content, or actions taken on behalf of the victim. The attack is blocked on GitLab.com due to Content Security Policy (CSP) headers, but may be exploitable on self-managed instances without strict CSP. The attacker gains no server-side access but can compromise the victim's client-side session [1].
Mitigation
GitLab has fixed the issue in versions 13.4.7, 13.5.5, and 13.6.2, released on December 10, 2020 [1]. Users of affected versions should upgrade to at least these patched releases. No workaround is available; upgrading is the recommended mitigation. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3<13.4.7, <13.5.5, <13.6.2+ 1 more
- (no CPE)range: <13.4.7, <13.5.5, <13.6.2
- (no CPE)range: >=12.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `ZoomUrlValidator` only checks whether the URL field *contains* a valid Zoom URL, not that the entire field is a valid URL, allowing a `javascript:` payload to be prepended to a legitimate Zoom link."
Attack vector
An attacker exports a project that has an issue with a Zoom meeting, then modifies the `url` attribute in `project.json` to something like `javascript:alert(document.domain);//https://zoom.us/my/5556`. When the project is imported, the `ZoomUrlValidator` [ref_id=1] sees that the string contains a valid Zoom URL and passes validation. The malicious URL is stored and rendered as the `href` of the "Join Zoom meeting" link. A victim who clicks the link (Ctrl+click in Chrome/Firefox, or regular click in Safari/Edge) executes the attacker's JavaScript in the context of the GitLab session.
Affected code
The `ZoomUrlValidator` class and `ZoomLinkExtractor` class in GitLab are at fault [ref_id=1]. The validator calls `Gitlab::ZoomLinkExtractor.new(value).links.size == 1`, which only checks that the value contains exactly one match for the Zoom URL regex, rather than validating that the entire value is a valid Zoom URL.
What the fix does
The advisory [ref_id=1] does not include a patch diff, but the expected fix is to change the validation so that the entire `url` field must be a valid Zoom URL, not merely contain one. The `ZoomUrlValidator` should reject any value that has extra content before or after the Zoom link, preventing `javascript:` or other schemes from being prepended. No patch is shown in the bundle; the remediation guidance is inferred from the issue description.
Preconditions
- authAttacker must be able to create and export a project, then modify the exported JSON before re-importing it.
- inputThe imported project must contain an issue with a Zoom meeting URL that has been tampered with.
- inputA victim user must click the 'Join Zoom meeting' link (Ctrl+click in Chrome/Firefox, or regular click in Safari/Edge).
Reproduction
1. Create a new project, add an issue, and add a comment with `/zoom https://zoom.us/my/5556` to attach a Zoom meeting. 2. Export the project. 3. In the exported `project.json`, change the `url` attribute of the zoom meeting to `javascript:alert(document.domain);//https://zoom.us/my/5556`. 4. Import the modified project. 5. Ctrl+click (Chrome/Firefox) or left-click (Safari/Edge) the "Join zoom meeting" button to trigger the XSS [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- gitlab.com/gitlab-org/cves/-/blob/master/2020/CVE-2020-26407.jsonmitrex_refsource_CONFIRM
- gitlab.com/gitlab-org/gitlab/-/issues/212630mitrex_refsource_MISC
- hackerone.com/reports/832117mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.