CVE-2026-5816
Published: 22 April 2026
Summary
CVE-2026-5816 is a high-severity Improper Resolution of Path Equivalence (CWE-41) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of information inputs including paths, directly mitigating the improper path validation that enables arbitrary JavaScript execution in the victim's browser.
SI-15 requires filtering of information outputs to prevent injection of malicious JavaScript payloads resulting from path validation bypasses.
SI-2 ensures flaws like this path validation vulnerability are identified, reported, and remediated promptly through patching to updated GitLab versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the public-facing GitLab application enables exploitation to execute arbitrary JavaScript in the victim's browser, directly mapping to T1190 and T1059.007.
NVD Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation…
more
under certain conditions.
Deeper analysisAI
CVE-2026-5816 is a vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) that stems from improper path validation, enabling an unauthenticated user to execute arbitrary JavaScript in a victim's browser session under certain conditions. It affects all versions from 18.10 prior to 18.10.4 and 18.11 prior to 18.11.1. The issue has a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) and is associated with CWE-41 (Improper Resolution of Path Equivalence).
An unauthenticated attacker with network access can exploit this vulnerability by tricking a user into interacting with a maliciously crafted request or resource that bypasses path validation checks. Exploitation requires high attack complexity and user interaction, but successful execution allows the attacker to achieve high-impact confidentiality and integrity violations within the changed scope of the victim's browser session, such as stealing session cookies, data, or performing actions on behalf of the user.
GitLab has remediated the issue with patch releases, including GitLab 18.11.1 and 18.10.4, as detailed in their release notes. Additional information is available in the associated GitLab work item (gitlab.com/gitlab-org/gitlab/-/work_items/592816) and the originating HackerOne disclosure report (hackerone.com/reports/3572231). Security practitioners should prioritize upgrading affected instances to patched versions.
Details
- CWE(s)