Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.
Published: 2026-04-22
Score: 3.5 Low
EPSS: n/a
KEV: No
Impact: Unauthorized Content Injection via Mermaid Rendering
Action: Patch
AI Analysis

Impact

This vulnerability arises from improper input validation in GitLab's Mermaid sandbox, enabling an authenticated user to embed malicious content that renders in another user's browser. The failure to correctly restrict rendered UI layers or frames allows the injection of unauthorized content, potentially leading to a compromised user experience. While the primary impact is the execution of unintended browser-side rendering, the effect is confined to the rendering context and does not provide direct database or system compromise.

Affected Systems

GitLab Community Edition and Enterprise Edition are affected for all releases starting from 18.11 up to, but excluding, 18.11.1. The vulnerability applies across both web and internal API endpoints where Mermaid diagrams are processed and displayed to authenticated users.

Risk and Exploitability

The CVSS score of 3.5 indicates a low overall severity; the lack of an EPSS score signals no publicly available indicator of exploitation attempts, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers require authenticated access and the ability to supply or modify Mermaid diagrams, so the attack vector is most plausibly limited to privileged users within the organization. Given the limited scope and the requirement for authenticated access, the likelihood of widespread exploitation is low, though the potential for internal misuse remains. The inadequacy in input validation directly contributes to a CWE-1021 condition, emphasizing a failure in anti‑tampering controls.

Generated by OpenCVE AI on April 22, 2026 at 17:58 UTC.

Remediation

Vendor Solution

Upgrade to version 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.11.1 or later, which contains the full fix for the Mermaid sandbox validation issue.
  • Restrict Mermaid diagram creation to trusted users or roles to minimize the number of users who can inject content.
  • If necessary, disable Mermaid diagram rendering in the UI until a patch is produced, which removes the attack surface entirely.

Generated by OpenCVE AI on April 22, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that under certain conditions could have allowed an authenticated user to load unauthorized content into another user's browser due to improper input validation in the Mermaid sandbox.
Title Improper Restriction of Rendered UI Layers or Frames in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-1021
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-22T17:39:44.965Z

Reserved: 2026-02-26T11:33:27.873Z

Link: CVE-2026-3254

cve-icon Vulnrichment

Updated: 2026-04-22T17:39:41.713Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:43.433

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-3254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:00:05Z

Weaknesses