VYPR
Published Jul 8, 2026· Updated Jul 11, 2026· 1 source

GitLab: Three Vulnerabilities Including Script Execution Fixed in July 8 Patch Release

Key findings • Three GitLab vulnerabilities disclosed simultaneously on July 8, 2026, affecting CE and EE. • CVE-2026-13320 allows arbitrary script execution due to improper input sanitizatio…

Key findings

  • Three GitLab vulnerabilities disclosed simultaneously on July 8, 2026, affecting CE and EE.
  • CVE-2026-13320 allows arbitrary script execution due to improper input sanitization.
  • CVE-2026-7492 enables information disclosure of private project existence.
  • CVE-2026-6352 permits modification of compliance records by auditor-level users.
  • Patched versions 19.1.2, 19.0.4, and 18.11.7 are available; self-managed instances require immediate upgrade.

On July 8, 2026, GitLab Inc. released security updates addressing three vulnerabilities affecting both GitLab Community Edition (CE) and Enterprise Edition (EE). The disclosures, which occurred simultaneously, include one critical vulnerability, one moderate, and one low-severity issue, highlighting a range of potential risks for self-managed installations. The patched versions, 19.1.2, 19.0.4, and 18.11.7, were made available to mitigate these security concerns.

One of the most significant vulnerabilities disclosed is CVE-2026-13320, an important-severity flaw related to improper input sanitization that could lead to arbitrary script execution. This type of vulnerability can be particularly dangerous, potentially allowing attackers to run malicious scripts within the context of the application, leading to data theft or further system compromise.

Another notable vulnerability is CVE-2026-7492, a moderate-severity information disclosure flaw. This bug could allow unauthorized access to the existence of private projects, posing a risk to the confidentiality of sensitive information within an organization's GitLab instance.

The batch also includes CVE-2026-6352, a low-severity issue where auditor-level users could modify compliance records due to improper authorization in GraphQL. While less critical, this vulnerability could still undermine the integrity of compliance data for organizations relying on GitLab for auditing purposes.

GitLab has urged all users with self-managed installations to upgrade to the patched versions immediately. GitLab.com is already running the updated versions, and GitLab Dedicated customers are unaffected. The company releases patches twice a month, with ad hoc updates for critical vulnerabilities, and this release falls within that framework.

These vulnerabilities underscore the importance of timely patching for self-managed GitLab instances. Users should ensure they are running the latest available versions to protect against potential exploitation of these and other security flaws. The simultaneous disclosure of these CVEs indicates a coordinated effort by GitLab to address multiple security weaknesses in a single update cycle.

Synthesized by Vypr AI