CVE Catalog

CVE-2026-9694

LowCVSS 2.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile — higher than 2% of all known CVEs

Summary

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2. Under certain conditions, an unauthenticated user could impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.

Risk Assessment

This vulnerability could lead to abuse where unauthorized users can introduce malicious content, potentially impacting the organization's reputation and data security.

Recommendation

It is recommended to update GitLab to the latest version to mitigate this vulnerability and to review and monitor Service Desk email replies for potential abuse.

Original NVD description (English source)

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS