Executive Summary
CVE-2026-10086 is a high-severity Cross-Site Scripting (XSS) vulnerability impacting the Analytics Dashboard of GitLab Enterprise Edition (EE). This vulnerability enables authenticated attackers to inject arbitrary JavaScript into the dashboard, which can be executed in the context of other users, potentially resulting in session hijacking, credential theft, privilege escalation, or lateral movement within the organization. The vulnerability is rated CVSS 8.7 and has been remediated in versions 19.1.1, 19.0.3, and 18.11.6. As of this advisory, there are no confirmed reports of exploitation in the wild, and CVE-2026-10086 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, due to the widespread use of GitLab in enterprise environments and the criticality of the vulnerability, prompt mitigation is strongly advised.
Technical Information
CVE-2026-10086 is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79, Cross-site Scripting). The vulnerability resides in the Analytics Dashboard component of GitLab EE, where insufficient input sanitization allows an authenticated user (with developer or higher privileges) to inject malicious JavaScript payloads. When another user accesses the compromised dashboard, the injected script executes in their browser context, inheriting their session and permissions.
The attack vector requires the adversary to have authenticated access to the vulnerable GitLab EE instance. By leveraging a crafted input field within the dashboard, the attacker can persistently embed JavaScript code. This code can be designed to exfiltrate session cookies, perform actions on behalf of the victim, or pivot further within the environment. The vulnerability affects all GitLab EE versions prior to 19.1.1, 19.0.3, and 18.11.6. The vendor has released patches, and both GitLab.com and GitLab Dedicated have been updated.
The technical exploitation flow is as follows: an attacker with developer or higher privileges injects a malicious script into the dashboard. When a victim with sufficient privileges views the dashboard, the script executes, potentially allowing the attacker to hijack the session, escalate privileges, or access sensitive data. The impact is amplified in environments where GitLab is integrated with CI/CD pipelines, secrets management, or other critical infrastructure.
Exploitation in the Wild
There are currently no confirmed public reports of exploitation or breaches directly attributed to CVE-2026-10086. The vulnerability is not present in the CISA KEV catalog, indicating that, as of this writing, it is not known to be actively exploited in the wild according to authoritative government sources. Nevertheless, the ease of exploitation for authenticated users and the high value of GitLab environments make this vulnerability an attractive target for threat actors. Historically, similar XSS vulnerabilities in GitLab have been leveraged for account takeover and data exfiltration, underscoring the importance of timely remediation.
APT Groups using this vulnerability
No specific Advanced Persistent Threat (APT) group attribution exists for CVE-2026-10086 at this time. However, APT groups such as APT29 and APT41 have previously targeted DevOps and CI/CD platforms, including GitLab, for initial access and lateral movement. While there is no evidence linking these groups to this particular vulnerability, organizations should remain vigilant, especially if they operate in sectors historically targeted by sophisticated adversaries.
Affected Product Versions
The affected products are GitLab Enterprise Edition (EE) versions prior to 19.1.1, 19.0.3, and 18.11.6. Specifically, all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 are vulnerable. Both GitLab.com and GitLab Dedicated have already been patched by the vendor.
Workaround and Mitigation
Immediate action should be taken to upgrade all self-managed GitLab EE instances to versions 19.1.1, 19.0.3, or 18.11.6, as appropriate. Organizations should review GitLab audit logs for suspicious dashboard modifications or anomalous user activity, and deploy browser-based security monitoring to detect unusual JavaScript execution on GitLab domains. Restricting dashboard editing permissions to trusted users and conducting regular security reviews of user roles and permissions are also recommended. If immediate patching is not feasible, consider disabling access to the Analytics Dashboard or restricting it to a minimal set of trusted users until remediation can be completed.
Indicators of Compromise
The following caveat applies: Indicators of Compromise (IOCs) are point-in-time and should be validated before enforcement. At the time of writing, no public indicators of compromise were available for CVE-2026-10086.
References
GitLab Patch Release: 19.1.1, 19.0.3, 18.11.6, Mallory.ai Threat Intelligence Story, HKCERT GitLab Multiple Vulnerabilities, Reddit: Critical XSS Vulnerability Found in GitLab EE
Rescana is here for you
Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform, empowering organizations to continuously monitor, assess, and mitigate cyber risks across their supply chain and vendor ecosystem. Our platform delivers actionable intelligence, automated workflows, and deep visibility into emerging threats, helping you stay ahead of adversaries and regulatory requirements. We are happy to answer any questions at info@rescana.com.
