Autres informations et services du gouvernement : www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Multiple High severity vulnerabilities in GitLab, Patch Immediately!

Image
Decorative image
Publié : 27/03/2026
  • Last update: 26/03/2026
  • Affected software:
    → GitLab Community Edition (CE)
    → GitLab Enterprise Edition (EE)
  • Type:
    → CWE-352: Cross-Site Request Forgery (CSRF)
    → CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    → CWE-407: Inefficient Algorithmic Complexity
  • CVE/CVSS
    → CVE-2026-2370: CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
    → CVE-2026-3857: CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
    → CVE-2026-2995: CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
    → CVE-2026-3988: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
  • Other medium/low severity CVE’s:
    → CVE-2026-2745, CVE-2026-1724, CVE-2025-13436, CVE-2025-13078
    → CVE-2026-2973, CVE-2026-2726, CVE-2025-14595,CVE-2026-4363

Sources

GitLab patch release - <https://about.gitlab.com/releases/2026/03/25/patch-release-gitlab-18-10-1-released/ >

Risks

GitLab disclosed several high severity security vulnerabilities as part of its monthly scheduled security release. Exploitation of these vulnerabilities could allow an authenticated user with minimal permissions to obtain sensitive credentials, allow unauthenticated attackers to execute actions on behalf of other users, facilitate the takeover of user accounts via HTML injection, or cause a full Denial of Service (DoS) of the GitLab instance.

Description

CVE-2026-2370 (CVSS 8.1):

An improper authorization check in Jira Connect installations allows authenticated users with minimal workspace permissions to obtain installation credentials. This enables an attacker to impersonate the GitLab application and access integrated Jira data.

CVE-2026-3857 (CVSS 8.1):

Insufficient CSRF protection in the GLQL API allows unauthenticated attackers to execute arbitrary GraphQL mutations on behalf of a victim user who visits a malicious webpage.

CVE-2026-2995 (CVSS 7.7):

A flaw in the vulnerability report feature of GitLab EE allows for HTML injection due to improper sanitization. An attacker could exploit this to add unauthorized email addresses to targeted user accounts, potentially leading to account takeovers.

CVE-2026-3988 (CVSS 7.5):

Improper input validation in the GraphQL API allows unauthenticated users to trigger excessive resource consumption, leading to a Denial of Service (DoS) where the GitLab instance becomes unresponsive.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.