Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.
Published: 2026-07-08
Score: 3.5 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab contains a flaw that can allow an authenticated user to create a repository in which the content displayed on the web interface differs from the content that is actually retrieved when the repository is downloaded. This discrepancy arises because Git reference names are not correctly resolved when handling repository uploads, leading to a mismatch between what a user sees and what data is stored. The flaw does not provide direct confidentiality or integrity violations for the system itself, but it can mislead users or enable a malicious actor to present misleading or altered content to others who rely on the web view.

Affected Systems

GitLab Community Edition and Enterprise Edition are affected for all releases from version 16.5 up to, but not including, 18.11.7, from 19.0 up to, but not including, 19.0.4, and from 19.1 up to, but not including, 19.1.2. The vulnerability applies to both the source and the packaged GitLab offerings, regardless of deployment mode.

Risk and Exploitability

The CVSS score of 3.5 classifies the vulnerability as low severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, indicating that there is no known active exploitation. The attack vector requires an authenticated user with permission to create new repositories; no network access or remote code execution is possible. Overall, the risk is modest, bounded to the potential for content confusion or deceptive representation within a user’s own environment.

Generated by OpenCVE AI on July 9, 2026 at 04:01 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.11.7, 19.0.4, 19.1.2 or above.


OpenCVE Recommended Actions

  • Upgrade to GitLab 18.11.7 or later, or to 19.0.4 or later, or to 19.1.2 or later as recommended by the vendor
  • After upgrading, verify that repository creation behaves correctly and that the displayed content matches the downloaded content
  • If an immediate update is not feasible, restrict repository creation privileges to trusted users only and monitor for any infected or suspicious repository uploads

Generated by OpenCVE AI on July 9, 2026 at 04:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution.
Title Use of Incorrectly-Resolved Name or Reference in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-706
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-07-08T20:47:28.863Z

Reserved: 2025-10-30T14:05:29.287Z

Link: CVE-2025-12506

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T04:15:12Z

Weaknesses
  • CWE-706

    Use of Incorrectly-Resolved Name or Reference