Improper Encoding or Escaping of Output in GitLab
Description
An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HTML injection in GitLab email address field allows an attacker to inject HTML into admin confirmation dialog when admin manually confirms a soft email confirmation.
Vulnerability
An HTML injection vulnerability exists in GitLab CE/EE versions 7.14 to 15.11.10, 16.0 to 16.0.6, and 16.1 to 16.1.1. It allows an attacker to inject HTML into the email address field. When the instance uses soft email confirmation settings, an attacker can register and change their email to include an HTML payload. If an administrator manually confirms the attacker's email, the HTML is rendered in the modal confirmation dialog. The vulnerable code is in the confirm_user_data method in app/helpers/users_helper.rb [1].
Exploitation
An attacker needs a GitLab instance with soft email confirmation enabled. The attacker registers an account, logs in, and changes their email to include an HTML payload (e.g., `). The attacker then waits for an administrator to manually confirm the email address. When the admin views the user's page and clicks "Confirm user", the modal dialog displays the unconfirmed email, which includes the injected HTML. The HTML is rendered, but tags like and ` are filtered out [1].
Impact
Successful exploitation allows the attacker to execute arbitrary HTML in the context of the admin's browser session. This could be used for phishing, defacement, or other client-side attacks. The impact is limited to the admin's browser and does not directly lead to server-side compromise, but it can be used to trick the admin into performing actions [1].
Mitigation
GitLab has released fixed versions: 15.11.10, 16.0.6, and 16.1.1. Users should upgrade to these versions or later. No workaround is available. The vulnerability is not listed in CISA KEV as of the publication date [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: >=7.14 <15.11.10, >=16.0 <16.0.6, >=16.1 <16.1.1
- Range: 7.14
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing HTML sanitization of the unconfirmed email address when it is interpolated into the administrator confirmation dialog message."
Attack vector
An attacker registers an account on a GitLab instance configured with "Soft" email confirmation settings, then changes their email address to include an HTML payload (e.g., `
Affected code
The vulnerability resides in the `confirm_user_data` method in `app/helpers/users_helper.rb` [ref_id=1]. This method constructs a modal dialog message using `user.unconfirmed_email` without sanitizing the email value for HTML, allowing an attacker-controlled email string to be rendered as HTML in the confirmation dialog [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] describes the issue as an HTML injection in the `confirm_user_data` helper method where `user.unconfirmed_email` is interpolated into a modal message without sanitization. The expected fix would sanitize or escape the email address before rendering it in the `messageHtml` field of the confirmation dialog [ref_id=1].
Preconditions
- configGitLab instance must have 'Email confirmation settings' set to 'Soft'
- authAttacker must have a registered account on the instance
- inputAdministrator must manually click the 'Confirm user' button for the attacker's account
Reproduction
1. As administrator, set "Email confirmation settings" to "Soft" in Admin → Settings → General → Sign-up restrictions. 2. As attacker, register an account and log in. 3. As attacker, go to profile settings and change the email to include an HTML payload (e.g., `test@example.com
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- hackerone.com/reports/1935628mitretechnical-descriptionexploit
- gitlab.com/gitlab-org/gitlab/-/issues/408281mitreissue-tracking
News mentions
1- GitLab Security Release: 16.1.1, 16.0.6, and 15.11.10GitLab Security Releases · Jun 29, 2023