GitLab Patches 12 CVEs: Two Critical Account Takeover Bugs, Service Desk Impersonation, and Auth Bypasses

Key findings

• Two CVSS 8.7 account takeover bugs in GitLab EE: CVE-2026-6552 (group Owner) and CVE-2026-10087 (developer XSS)
• An unauthenticated attacker can impersonate the GitLab Support Bot via Service Desk emails (CVE-2026-9694)
• CVE-2026-7250 allows unauthenticated denial of service through API request parsing middleware
• All 12 CVEs fixed in versions 19.0.2, 18.11.5, and 18.10.8 released June 10, 2026
• GitLab.com already patched; self-managed installations urged to upgrade immediately
• Four of the 12 bugs involve broken authorization checks in group and project permissions

GitLab released versions 19.0.2, 18.11.5, and 18.10.8 on June 10, 2026, patching a batch of 12 vulnerabilities — including two critical-severity account takeover bugs (CVSS 8.7), a Service Desk impersonation flaw, and multiple authorization bypasses — that together affect both Community Edition (CE) and Enterprise Edition (EE) across versions dating back to 12.0.

Account Takeover and Privilege Escalation

The most severe bugs in this batch are both rated CVSS 8.7 (High) and target GitLab EE exclusively. CVE-2026-6552 allows an authenticated user with the group Owner role to take over another group member's GitLab account due to improper authorization in the Groups API. CVE-2026-10087 enables an authenticated user with developer-role permissions to execute arbitrary client-side code on behalf of a targeted user — a stored cross-site scripting (XSS) vulnerability in the merge request diff interface. A third High-severity issue, CVE-2026-8589 (CVSS 7.3), lets an authenticated user add unauthorized email addresses to a targeted user's account because of improper sanitization of user-supplied input, also affecting EE only.

Authorization and Access Control Weaknesses

Several medium-severity flaws involve broken authorization checks. CVE-2026-6269 (CVSS 5.4) allows an authenticated developer-role user to modify hidden merge requests due to incorrect authorization enforcements. CVE-2026-6277 (CVSS 4.3) lets an authenticated user with the Security Manager role manage project security configuration even when the relevant feature is disabled. CVE-2026-3553 (CVSS 3.1, Low) permits an authenticated user to access confidential issue details due to incorrect authorization checks. CVE-2026-6976 (CVSS 3.7, Low) allows a developer-role user to hide changes from merge request diff views through improper input handling.

Denial of Service and Resource Exhaustion

Three CVEs target availability. CVE-2026-7250 (CVSS 7.5, High) enables an unauthenticated attacker to cause denial of service through improper input validation in the API request parsing middleware, affecting versions from 12.10. CVE-2026-1500 (CVSS 6.5, Medium) allows an authenticated user to trigger denial of service via uncontrolled resource consumption when processing a specially crafted file, affecting versions from 17.10. CVE-2026-10733 (CVSS 4.3, Medium) lets an authenticated user cause denial of service on the CI/CD Catalog page due to improper sanitization.

Service Desk Impersonation and Data Leakage

CVE-2026-9694 (CVSS 2.6, Low) is notable for its attack surface: an unauthenticated attacker could impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email, affecting versions from 15.9. CVE-2026-9204 (CVSS 5.3, Medium) allows an authenticated user to read arbitrary files from the Gitaly server and access internal network resources during repository import.

Patch Status and Mitigation

GitLab has released versions 19.0.2, 18.11.5, and 18.10.8 that fix all 12 vulnerabilities. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action. Self-managed installations are strongly advised to upgrade immediately. The patch release is an ad-hoc critical update outside GitLab's regular bi-monthly schedule, reflecting the severity of the account takeover bugs.

Broader Context

This batch underscores a recurring theme in GitLab's security posture: authorization logic in group and project permissions continues to be a rich source of vulnerabilities, with four of the 12 CVEs involving improper authorization checks. The inclusion of an unauthenticated Service Desk impersonation bug and an unauthenticated DoS vector widens the attack surface beyond authenticated users. Organizations running GitLab EE should prioritize the upgrade given the two CVSS 8.7 account takeover flaws that require only group Owner or developer privileges to exploit.