CVE-2026-9694
LowCVSS 2.6Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an unauthenticated user could impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.
Risk Assessment
This vulnerability could lead to abuse where unauthorized users can introduce malicious content, potentially impacting the organization's reputation and data security.
Recommendation
It is recommended to update GitLab to the latest version to mitigate this vulnerability and to review and monitor Service Desk email replies for potential abuse.
Original NVD description (English source)
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.

