CVE-2026-9204

Vulnerability

A validation flaw in GitLab CE/EE allows an authenticated user to supply a malformed or unauthorized secondary URL during repository import. This affects all versions from 18.10 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 [1]. The insufficient validation enables the import process to connect to arbitrary endpoints, including the internal Gitaly server, without proper access checks.

Exploitation

An attacker must be an authenticated GitLab user with the ability to initiate a repository import. By crafting a malicious secondary URL that points to local or internal network resources (such as the Gitaly server's file paths), the attacker can trigger GitLab's import functionality to make requests to that URL. The server-side import process then fetches content from the attacker-controlled target, bypassing regular URL validation [1].

Impact

Successful exploitation results in the disclosure of arbitrary files from the Gitaly server, exposing sensitive data such as repository contents or configuration. Additionally, the attacker may be able to reach other internal network services that the Gitaly server can access, leading to information disclosure or potential lateral movement within the internal network. The impact is limited to read operations initiated during the import process [1].

Mitigation

GitLab has addressed the vulnerability in versions 18.10.8, 18.11.5, and 19.0.2, released on 2026-06-10 [1]. All installations running affected versions should upgrade immediately. No workaround is available. There is no indication this CVE is listed in CISA's Known Exploited Vulnerabilities catalog at the time of publication.