TL;DR
This GitLab patch release, shipped on July 8, 2026, covers versions 19.1.2, 19.0.4, and 18.11.7. The update fixes eight security flaws across Community and Enterprise Edition. The most severe is a stored cross-site scripting bug, CVE-2026-6896, rated CVSS 8.7. GitLab reports no known exploitation.
Why it matters
GitLab holds source code, secrets, and CI/CD pipelines for many teams. So a browser-based flaw there can reach sensitive projects. The top bug needs only developer-role access, which many contributors already hold. Two fixes let one user run scripts in another user’s session. That opens the door to session theft and repository tampering.
How the attacks work
The top bug, CVE-2026-6896, sits in the vulnerability evidence table renderer. A developer-role user could plant a script through unsanitized input. When a victim views the page, the script runs in their browser. A second flaw, CVE-2026-13320, allows HTML injection through wiki markup. Both are classic cross-site scripting problems. The remaining six cover credential exposure in repository mirroring, weak authorization, and private-project disclosure.
Affected versions
The flaws affect a wide range of GitLab CE and EE builds before the fix. Several issues reach back many major versions. GitLab.com already runs the patched code, and Dedicated customers need no action. Researchers reported the bugs through GitLab’s HackerOne bug bounty program.
Patch and mitigation
Self-managed admins should upgrade now to 19.1.2, 19.0.4, or 18.11.7. There is no workaround, so patching is the only fix. For the full CVE list, read GitLab’s patch release notes. This GitLab patch release follows the vendor’s twice-monthly security cadence, and full issue details go public 30 days after the release.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.