Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.
Published: 2026-06-11
Score: 2.6 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from GitLab’s email template engine failing to neutralize substitution characters when processing Service Desk email replies. This flaw, identified as CWE-153, allows an unauthenticated attacker to construct a malicious email that impersonates the GitLab Support Bot and inject arbitrary content into repository or issue metadata.

Affected Systems

GitLab Community Edition and Enterprise Edition are affected. Versions from 15.9 up to 18.10.7, 18.11 up to 18.11.4, and 19.0 up to 19.0.1 are vulnerable. The vendor recommends upgrading to GitLab 18.10.8, 18.11.5, 19.0.2 or newer to resolve the issue.

Risk and Exploitability

The CVSS score of 2.6 indicates low severity, and the EPSS score of less than 1% signals a very low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. When exploited, the attacker could inject arbitrary content into GitLab via a crafted Service Desk email reply, potentially leading to defacement or misrepresentation of support communications. The likely attack vector is through the Service Desk feature, where an unauthenticated user could send a specially crafted email to a project’s support address, triggering the template engine to process malicious substitution characters.

Generated by OpenCVE AI on June 11, 2026 at 16:17 UTC.

Remediation

Vendor Solution

Upgrade to versions 18.10.8, 18.11.5, 19.0.2 or above.


OpenCVE Recommended Actions

  • Upgrade GitLab to version 18.10.8, 18.11.5, 19.0.2 or newer to apply the vendor patch
  • Until the upgrade can be performed, consider disabling the Service Desk email reply feature or restricting it to known, authenticated senders to prevent malicious content injection
  • Monitor Service Desk email logs for suspicious or malformed content that could indicate exploitation attempts

Generated by OpenCVE AI on June 11, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*
cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.
Title Improper Neutralization of Substitution Characters in GitLab
First Time appeared Gitlab
Gitlab gitlab
Weaknesses CWE-153
CPEs cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Vendors & Products Gitlab
Gitlab gitlab
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-11T12:38:55.300Z

Reserved: 2026-05-27T11:03:58.975Z

Link: CVE-2026-9694

cve-icon Vulnrichment

Updated: 2026-06-11T12:38:50.440Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T12:16:33.110

Modified: 2026-06-11T17:32:06.163

Link: CVE-2026-9694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T16:17:39Z

Weaknesses
  • CWE-153

    Improper Neutralization of Substitution Characters