Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances.
Published: 2026-03-11
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Code Integrity Violation
Action: Patch
AI Analysis

Impact

GitLab introduced a flaw that allowed an authenticated user to trigger repository downloads containing code that does not match what appears in the web interface, due to incorrect validation of branch references. The vulnerability stems from improper reference resolution, classified under CWE‑706 (Invalid Parameters). The consequence is a potential exposure of unauthorised code and a breach of code integrity, enabling an attacker to deliver unintended changes or malicious snippets to downstream consumers.

Affected Systems

Affected products include GitLab Community Edition (CE) and Enterprise Edition (EE). All versions from 1.0 up to but excluding 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 are vulnerable. The security advisory lists the affected CPEs as gitlab:gitlab for both community and enterprise editions.

Risk and Exploitability

The vulnerability has a CVSS score of 4.1, indicating low to moderate severity, and an EPSS score below 1%, implying a low likelihood of exploitation. It is not listed in the CISA KEV catalog. Exploitation requires authentication to the targeted GitLab instance; an attacker with valid credentials can provoke the download mismatch by using the incorrect branch reference. Once triggered, the attacker can obtain code that differs from what the user sees, potentially facilitating covert data exfiltration or delivery of tainted code.

Generated by OpenCVE AI on March 17, 2026 at 22:24 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.7.6, 18.8.6, 18.9.2 or above.

OpenCVE Recommended Actions

  • Apply the latest GitLab patch—upgrade to version 18.7.6, 18.8.6, 18.9.2 or any newer release.

Generated by OpenCVE AI on March 17, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Wed, 11 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances.
Title Use of Incorrectly-Resolved Name or Reference in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-706
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-03-11T19:46:36.143Z

Reserved: 2026-01-20T13:33:22.197Z

Link: CVE-2026-1230

cve-icon Vulnrichment

Updated: 2026-03-11T19:46:29.639Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T16:16:22.493

Modified: 2026-03-17T20:55:04.850

Link: CVE-2026-1230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:48Z

Weaknesses