Cyber Resilience

CVE-2026-5816

High

Published: 22 April 2026

Published
22 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0041 32.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5816 is a high-severity Improper Resolution of Path Equivalence (CWE-41) vulnerability in Gitlab Gitlab. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-5816 is a vulnerability in GitLab Community Edition (CE) and Enterprise Edition (EE) that stems from improper path validation, enabling an unauthenticated user to execute arbitrary JavaScript in a victim's browser session under certain conditions. It affects all versions from 18.10 prior to 18.10.4 and 18.11 prior to 18.11.1. The issue has a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) and is associated with CWE-41 (Improper Resolution of Path Equivalence).

An unauthenticated attacker with network access can exploit this vulnerability by tricking a user into interacting with a maliciously crafted request or resource that bypasses path validation checks. Exploitation requires high attack complexity and user interaction, but successful execution allows the attacker to achieve high-impact confidentiality and integrity violations within the changed scope of the victim's browser session, such as stealing session cookies, data, or performing actions on behalf of the user.

GitLab has remediated the issue with patch releases, including GitLab 18.11.1 and 18.10.4, as detailed in their release notes. Additional information is available in the associated GitLab work item (gitlab.com/gitlab-org/gitlab/-/work_items/592816) and the originating HackerOne disclosure report (hackerone.com/reports/3572231). Security practitioners should prioritize upgrading affected instances to patched versions.

EU & UK References

Vulnerability details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.10 before 18.10.4 and 18.11 before 18.11.1 that could have allowed an unauthenticated user to execute arbitrary JavaScript in a user's browser session due to improper path validation…

more

under certain conditions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The vulnerability in the public-facing GitLab application enables exploitation to execute arbitrary JavaScript in the victim's browser, directly mapping to T1190 and T1059.007.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-0314Same product: Gitlab Gitlab
CVE-2026-0752Same product: Gitlab Gitlab
CVE-2025-14560Same product: Gitlab Gitlab
CVE-2025-2255Same product: Gitlab Gitlab
CVE-2024-10383Same product: Gitlab Gitlab
CVE-2025-12716Same product: Gitlab Gitlab
CVE-2025-13761Same product: Gitlab Gitlab
CVE-2026-0723Same product: Gitlab Gitlab
CVE-2026-1090Same product: Gitlab Gitlab
CVE-2026-6073Same product: Gitlab Gitlab

Affected Assets

gitlab
gitlab
18.11.0 · 18.10.0 — 18.10.4 · 18.10.0 — 18.10.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of information inputs including paths, directly mitigating the improper path validation that enables arbitrary JavaScript execution in the victim's browser.

prevent

SI-15 requires filtering of information outputs to prevent injection of malicious JavaScript payloads resulting from path validation bypasses.

prevent

SI-2 ensures flaws like this path validation vulnerability are identified, reported, and remediated promptly through patching to updated GitLab versions.

References