Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.
Published: 2026-04-22
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Arbitrary JavaScript Execution
Action: Immediate Patch
AI Analysis

Impact

GitLab has a flaw that improperly resolves path equivalence, allowing an unauthenticated user to trigger arbitrary JavaScript execution within a target user’s browser session. The vulnerability is rooted in CWE‑41, Path Manipulation, and could be used to hijack sessions, steal credentials, or inject malicious content while the victim is logged into GitLab.

Affected Systems

The flaw impacts GitLab Community Edition and Enterprise Edition. All releases from 18.10.0 to 18.10.3 and the 18.11.0 release are affected. Versions 18.10.4, 18.11.1 and later contain the fix.

Risk and Exploitability

The CVSS score of 8 indicates a high severity level, though the EPSS score is not available, so the current exploit probability is unknown. Because the vulnerability is exploitable by unauthenticated users, an attacker can craft a request that bypasses path validation and deliver malicious JavaScript to any user who visits the targeted page. The vulnerability is not listed in CISA KEV and no public exploit has been reported at the time of this assessment. The likely attack vector is a crafted HTTP request that triggers the path conversion logic, and the impact is limited to the victims’ browser context but can be leveraged for social engineering or first‑party data theft.

Generated by OpenCVE AI on April 27, 2026 at 08:49 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.4, 18.11.1 or above.

OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.10.4, 18.11.1, or any later release that includes the path‑validation fix
  • If an upgrade is not yet possible, restrict access to the affected path or monitor inbound requests for patterns that resemble the known exploitation sequence
  • Enforce a strict Content Security Policy on the web interface to prevent arbitrary JavaScript execution and mitigate exploitation of the flaw while a patch is pending

Generated by OpenCVE AI on April 27, 2026 at 08:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:18.11.0:*:*:*:enterprise:*:*:*

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation under certain conditions.
Title Improper Resolution of Path Equivalence in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-41
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-04-23T03:56:09.061Z

Reserved: 2026-04-08T15:33:27.101Z

Link: CVE-2026-5816

cve-icon Vulnrichment

Updated: 2026-04-22T17:51:37.879Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:44.763

Modified: 2026-04-23T20:30:30.267

Link: CVE-2026-5816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:45:11Z

Weaknesses