GitLab Patches High-Severity XSS Flaws in Analytics Dashboard and Web IDE
GitLab released versions 19.1.1, 19.0.3, and 18.11.6 fixing multiple vulnerabilities, including two high-severity cross-site scripting flaws.
GitLab released versions 19.1.1, 19.0.3, and 18.11.6 on June 24, 2026, addressing multiple security vulnerabilities. The updates are available for both Community Edition (CE) and Enterprise Edition (EE). GitLab strongly recommends that all self-managed installations upgrade immediately. GitLab.com is already running the patched version, and GitLab Dedicated customers do not need to take action.
The most critical fixes include two high-severity cross-site scripting (XSS) vulnerabilities. CVE-2026-10086 (CVSS 8.7) is a stored XSS in the Analytics Dashboard affecting GitLab EE versions from 16.4. An authenticated user with developer-role permissions could execute arbitrary client-side code in the context of another user's session due to improper sanitization of user-supplied input. CVE-2026-10712 (CVSS 8.0) is an unauthenticated XSS in the Web IDE workbench asset handler affecting both CE and EE from version 18.10. An unauthenticated attacker could execute arbitrary JavaScript in a user's browser session due to improper path validation.
Other fixes address information disclosure, authorization bypass, and server-side request forgery (SSRF) issues. CVE-2026-12053 (CVSS 7.7) is an information disclosure flaw in Duo Workflows affecting GitLab EE 19.1, where a user could access sensitive information already committed to a project due to insufficient output filtering. CVE-2026-5309 (CVSS 5.4) is an authorization bypass in the Virtual Registry Cleanup Policy API affecting EE versions from 18.6. CVE-2026-2238 (CVSS 5.3) is an improper authorization issue in Rapid Diffs affecting CE/EE from 17.5, allowing unauthenticated users to view confidential issue references on public projects. CVE-2026-11379 (CVSS 5.3) is an incorrect authorization issue in DAST scanner and site profile management affecting EE from 13.11, potentially allowing a developer to exfiltrate DAST site profile secrets.
Additional medium-severity fixes include improper authorization in Maven Package Registry, insufficient filtering in CI/CD API, improper input validation in Snippets, and improper access control in group packages API and Protected Environments API. Low-severity fixes address missing authorization in Security Dashboard and SSRF in Repository Mirroring.
The vulnerabilities were reported through GitLab's HackerOne bug bounty program by researchers including yvvdwf, joaxcar, 3nvz, GitLab team member Dennis Appelt, go7f0, and modhanami. GitLab follows a policy of making vulnerability details public 30 days after the patch release.
All self-managed GitLab instances running affected versions should upgrade to 19.1.1, 19.0.3, or 18.11.6 immediately. Organizations using GitLab.com are already protected. This patch release underscores the importance of keeping DevOps platforms up to date, as XSS and authorization flaws can lead to account takeover and data breaches.