Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Multiple Vulnerabilities in GitLab Products

16 June 2026

Attackers can exploit multiple high-severity vulnerabilities in GitLab to achieve account takeover, cause denial of service, add unauthorised email addresses and execute arbitrary client-side code. Patch immediately.

Background

GitLab has released security updates addressing multiple high-severity vulnerabilities affecting GitLab Community Edition (CE) and Enterprise Edition (EE). These vulnerabilities can lead to full account takeover, unauthenticated denial of service, unauthorised email addition and arbitrary client-side code execution. 

These vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.1) score of 8.7 for CVE-2026-6552 and CVE-2026-10087, 7.5 for CVE-2026-7250, and 7.3 for CVE-2026-8589, out of 10.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

  • CVE-2026-6552: Due to improper authorisation in the Group SAML identity management functionality, an authenticated user with group owner role could take over another group member’s GitLab account. 

  • CVE-2026-7250: Due to improper input validation in the API request parsing middleware, an unauthenticated attacker could cause a denial of service on the affected GitLab instance. 

  • CVE-2026-8589: Due to improper sanitisation of user-supplied input in certain group setting fields, an authenticated user could add unauthorised email addresses to a targeted user’s account. 

  • CVE-2026-10087: Due to improper input sanitisation in the Analytics Dashboard, an authenticated user with developer-role permissions could execute arbitrary client-side code on behalf of a targeted user.

Affected Products

These vulnerabilities affect the following GitLab products and versions:

  • CVE-2026-6552:

    • GitLab EE versions 19.0.0 through 19.0.1 

    • GitLab EE versions 18.11.0 through 18.11.4 

    • GitLab EE versions 15.5.0 through 18.10.7 

  • CVE-2026-7250:

    • GitLab CE and EE versions 19.0.0 through 19.0.1 

    • GitLab CE and EE versions 18.11.0 through 18.11.4 

    • GitLab CE and EE versions 12.10.0 through 18.10.7 

  • CVE-2026-8589:

    • GitLab EE versions 19.0.0 through 19.0.1 

    • GitLab EE versions 18.11.0 through 18.11.4 

    • GitLab EE versions 13.1.4 through 18.10.7 

  • CVE-2026-10087:

    • GitLab EE versions 19.0.0 through 19.0.1 

    • GitLab EE versions 18.11.0 through 18.11.4 

    • GitLab EE versions 17.1.0 through 18.10.7

Recommendations

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-2-released/

https://nvd.nist.gov/vuln/detail/CVE-2026-6552

https://nvd.nist.gov/vuln/detail/CVE-2026-7250

https://nvd.nist.gov/vuln/detail/CVE-2026-8589

https://nvd.nist.gov/vuln/detail/CVE-2026-10087

https://cyberpress.org/gitlab-patches-multiple-flaws/

Back to top