Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation.
Published: 2026-04-22
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Token Exposure via XSS
Action: Patch Now
AI Analysis

Impact

GitLab CE/EE contains an improper input validation flaw that can trigger cross‑site scripting when a user visits the Storybook development interface. The flaw allows an unauthenticated attacker to inject code that runs in the victim’s browser, which can then read development‑environment tokens that should not be publicly exposed. The bug is identified as a CWE‑79 vulnerability and could lead to credential theft or other malicious actions executed in the context of the victim’s session.

Affected Systems

All GitLab Community Edition and Enterprise Edition releases from 16.1.0 up to, but not including, 18.9.6, 18.10.4, and 18.11.1 are affected. No other versions were reported to be vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 8, indicating high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Because the exploit requires unauthenticated access to the Storybook interface, the attack vector is a remote, web‑based attack that can be performed by anyone with network visibility to the development environment. Successful exploitation could allow an attacker to read or exfiltrate tokens, compromising credential confidentiality and potentially enabling further lateral movement.

Generated by OpenCVE AI on April 22, 2026 at 18:23 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.9.6, 18.10.4, 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade the GitLab installation to version 18.9.6, 18.10.4, 18.11.1 or later to apply the vendor fix.
  • Restrict or disable public access to the Storybook development environment so that only authorized developers can view it.
  • If an upgrade cannot be performed immediately, block external traffic to the Storybook endpoint until the patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:enterprise:*:*:*

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that under certain conditions could have allowed an unauthenticated user to access tokens in the Storybook development environment due to improper input validation.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-22T18:08:34.142Z

Reserved: 2026-03-31T16:33:39.916Z

Link: CVE-2026-5262

cve-icon Vulnrichment

Updated: 2026-04-22T18:08:29.547Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:44.437

Modified: 2026-04-23T20:38:56.460

Link: CVE-2026-5262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:00:06Z

Weaknesses