CCB Belgium Warns of 11 Critical GitLab Vulnerabilities, Patch Immediately

Warning: 11 new vulnerabilities in GitLab CE and EE editions, Patch Immediately!

Image

Published : 24/04/2026

• Last update: 24/04/2026
• Affected software: → GitLab Community Edition → GitLab Enterprise Edition
• Type: Code execution, Denial of service, Information disclosure
• CVE/CVSS → CVE-2026-4922 CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) → CVE-2026-5816 CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) → CVE-2026-5262 CVSS 8.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) → CVE-2025-0186 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) → CVE-2026-1660 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) → CVE-2025-6016 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) → CVE-2025-3922 CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) → CVE-2026-6515 CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) → CVE-2026-5377 CVSS 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) → CVE-2026-3254 CVSS 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) → CVE-2025-9957 CVSS 2.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

Sources

GitLab advisory - https://docs.gitlab.com/releases/patches/patch-release-gitlab-18-11-1-released/

Risks

On 22 April 2026, GitLab addressed 11 vulnerabilities affecting GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerabilities differ in severity, ranging from low to high severity. This advisory will cover the 3 vulnerabilities with the highest severity CVSS scores: CVE-2026-4922, CVE-2026-5816 and CVE-2026-5262.

GitLab is an open-source platform used for software development that is popular across the world. Threat actors have been known to target GitLab instances, for instance to host and distribute malware.

As of the time of writing, there is no indication these vulnerabilities are actively exploited (cut-off date: 23 April 2026).

Description

CVE-2026-4922 is a cross-site request forgery vulnerability affecting the GraphQL API. Insufficient CSRF protection in GitLab GraphQL API allows unauthenticated users to execute GraphQL mutations on behalf of authenticated users. An attacker can craft malicious requests that, when clicked by an authenticated GitLab user, execute GraphQL mutations without the user's knowledge or consent. This could result in unauthorised modification of data and configurations within GitLab, including potential changes to project settings, user permissions, issue management, and other critical GitLab functionality.

CVE-2026-5816 is an improper resolution of path equivalence flaw affecting Web IDE assets. An unauthenticated user could exploit it to execute arbitrary JavaScript in a user’s browser session. This could lead to session hijacking, credential theft, unauthorised actions performed on behalf of the user, and potential access to sensitive data.

CVE-2026-5262 is a cross-site scripting vulnerability affecting Storybook. Under certain conditions, an unauthenticated attacker could exploit this vulnerability to gain unauthorised access to sensitive tokens stored in the Storybook development environment. This could lead to the compromise of authentication credentials, allowing attackers to authenticate as legitimate users and perform actions on the GitLab instance.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

The CCB also recommends implementing Content Security Policy headers to harden against cross-site request forgery attacks.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

The CCB recommends monitoring for, reviewing, any suspicious JavaScript execution, cross-site scripting attempts, and unauthorised token usage in your GitLab logs.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

Feedly - https://feedly.com/cve/CVE-2026-4922
Feedly - https://feedly.com/cve/CVE-2026-5816
Feedly - https://feedly.com/cve/CVE-2026-5262