CVE-2026-9694

Vulnerability

GitLab CE/EE versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 contain an improper neutralization flaw in email template processing for Service Desk replies. Under certain conditions, an unauthenticated attacker can craft an email reply that, when processed by the Service Desk, injects arbitrary content and impersonates the GitLab Support Bot [1]. The vulnerability exists in the way email templates handle specially crafted reply content.

Exploitation

An attacker only needs network access to send an email to the target GitLab instance's Service Desk email address. No authentication is required. By crafting a malicious email reply with specially formatted headers or body content, the attacker can trigger the injection during template processing. The exact injection vectors are not publicly detailed but rely on the improper neutralization of user-supplied input within the email template pipeline.

Impact

Successful exploitation allows an unauthenticated attacker to impersonate the GitLab Support Bot in Service Desk communications. The attacker can inject arbitrary content into these communications, potentially misleading users or facilitating social engineering attacks. The impact is limited to content injection within the Service Desk context; there is no disclosed ability to execute code, modify system data, or escalate privileges. The CVSS score of 2.6 (Low) reflects this constrained risk.

Mitigation

GitLab has released fixed versions 18.10.8, 18.11.5, and 19.0.2 on 2026-06-10 [1]. All users running affected versions should upgrade immediately. No workarounds have been published. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time.