CVE-2026-6976

Vulnerability

GitLab CE/EE versions 15.9 through 18.10.7, 18.11.0 through 18.11.4, and 19.0.0 through 19.0.1 are vulnerable to an input validation flaw in the handling of file names. An authenticated user with a developer role can craft a specific file name that, when included in a merge request, causes the diff view to omit the changes made in that file. This vulnerability results from improper input handling of file names in the merge request diff generation code.

Exploitation

An attacker must have an authenticated account with at least the Developer role in a GitLab project. The attacker creates a merge request containing a file with a specially crafted name that exploits the improper input handling. When other users or reviewers view the merge request diff, the changes in the crafted file are not displayed. No additional user interaction is required beyond normal code review workflows.

Impact

Successful exploitation allows an attacker to hide arbitrary changes from the merge request diff view. This can lead to malicious code being merged without detection by reviewers, compromising the integrity of the codebase. The attacker can inject backdoors, exfiltrate data, or introduce other vulnerabilities without immediate visibility. The privilege level required is Developer, which is relatively common in GitLab projects.

Mitigation

GitLab has released fixed versions: 18.10.8, 18.11.5, and 19.0.2, all published on 2026-06-10 [1]. All users running affected versions should upgrade immediately to the nearest patched release. No workarounds have been provided by the vendor. This vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog as of publication.