Description
GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper sanitization of user-supplied input in certain group setting fields.
Published: 2026-06-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitLab Enterprise Edition contains a cross‑site scripting flaw that, when exploited by an authenticated user, permits insertion of malicious input into certain group setting fields. The vulnerability can be used to add unauthorized email addresses to a target user’s account, effectively granting the attacker an additional means to impersonate or conduct phishing attacks. The flaw is a classic example of CWE‑79, where improper neutralization of input during web page generation leads to unauthorized data manipulation.

Affected Systems

All GitLab EE releases from 13.1.4 up to, but not including, 18.10.8; from 18.11.0 up to, but not including, 18.11.5; and from 19.0.0 up to, but not including, 19.0.2 are vulnerable. The fix is available in 18.10.8, 18.11.5, and 19.0.2 or newer.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity vulnerability, and the lack of an EPSS score means there is no current exploit prevalence data. The flaw can be leveraged by an authenticated user; it does not require remote code execution and is not listed in the CISA KEV catalog. Due to the requirement of authentication, typical attack scenarios would involve a compromised or privileged account within the same GitLab instance, which can then inject malicious group setting data to add arbitrary email addresses to another user.

Generated by OpenCVE AI on June 11, 2026 at 12:23 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.8, 18.11.5, 19.0.2 or above.

OpenCVE Recommended Actions

  • Apply the latest security patch by upgrading GitLab EE to version 18.10.8, 18.11.5, 19.0.2, or a later release.
  • Until the upgrade can be performed, remove or restrict access to the vulnerable group setting fields, preventing authenticated users from injecting invalid input.
  • Enable and review audit logs to detect unauthorized modifications to user email addresses, and consider temporarily locking affected accounts if suspicious activity is observed.

Generated by OpenCVE AI on June 11, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper sanitization of user-supplied input in certain group setting fields.
Title Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-79
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gitlab Gitlab
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-11T12:28:51.255Z

Reserved: 2026-05-14T08:04:55.813Z

Link: CVE-2026-8589

cve-icon Vulnrichment

Updated: 2026-06-11T12:28:47.368Z

cve-icon NVD

Status : Received

Published: 2026-06-11T12:16:32.860

Modified: 2026-06-11T12:16:32.860

Link: CVE-2026-8589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T13:30:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')