Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.
Published: 2026-02-11
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Hidden file changes by an authenticated developer
Action: Apply Patch
AI Analysis

Impact

GitLab versions prior to 18.8.4 contain a flaw that improperly validates unsafe equivalence in user input, allowing an authenticated developer to conceal specially crafted file changes from the WebUI. This weakness, identified as CWE‑1289, can enable developers to hide modifications to repository contents, impacting the integrity of displayed code and potentially allowing the persistence of unauthorized changes.

Affected Systems

Both GitLab Community Edition and Enterprise Edition are impacted, specifically all releases from 18.8 up to but not including 18.8.4. Users running any of these versions should examine their installations to determine whether they are within this range.

Risk and Exploitability

The overall CVSS score of 4.6 places the vulnerability in the moderate range, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation. The vulnerability is not in the CISA KEV catalog. The attack vector requires an insider credential with developer-level access; the attacker must be authenticated to the GitLab instance and possess permissions to commit changes. Given the limited scope, the risk is primarily to the integrity of code visible through the WebUI.

Generated by OpenCVE AI on April 18, 2026 at 12:41 UTC.

Remediation

Vendor Solution

Upgrade to version 18.8.4 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.8.4 or newer as recommended by the vendor.
  • Verify that all existing merge requests and commits are free of hidden changes before applying the patch to prevent persistence of unauthorized modifications.
  • After the upgrade, enforce strict code review and merge request workflows to restrict developer permissions on sensitive repositories.

Generated by OpenCVE AI on April 18, 2026 at 12:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Gitlab gitlab
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
Vendors & Products Gitlab gitlab

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI.
Title Improper Validation of Unsafe Equivalence in Input in GitLab
First Time appeared Gitlab
Gitlab gitaly
Weaknesses CWE-1289
CPEs cpe:2.3:a:gitlab:gitaly:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitaly
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Gitlab Gitaly Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-02-11T21:18:35.282Z

Reserved: 2026-01-16T21:33:12.365Z

Link: CVE-2026-1094

cve-icon Vulnrichment

Updated: 2026-02-11T21:18:32.874Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T12:16:04.263

Modified: 2026-02-12T21:19:23.863

Link: CVE-2026-1094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses