ZeroPath at Black Hat USA 2026

GitLab EE CVE-2026-6073: Brief Summary of a High Severity XSS in Duo Agent Output Rendering

A brief summary of CVE-2026-6073, a high severity stored XSS vulnerability in GitLab Enterprise Edition's Duo Agent output rendering feature, including technical details, affected versions, and patch information.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-14

GitLab EE CVE-2026-6073: Brief Summary of a High Severity XSS in Duo Agent Output Rendering
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A recently patched Cross Site Scripting flaw in GitLab Enterprise Edition's Duo Agent output rendering allowed any authenticated user to inject arbitrary JavaScript that would execute in the browsers of other users viewing the same content. With a CVSS score of 8.7 and a "Changed" scope designation, this vulnerability could compromise user sessions and expose data well beyond the immediate rendering surface, making it a priority patch for any organization running self-managed GitLab EE instances.

Technical Information

Root Cause

CVE-2026-6073 is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in the Duo Agent output rendering path within GitLab Enterprise Edition. GitLab Duo is the platform's AI-powered assistant; the Duo Agent component specifically generates and returns output such as code suggestions, summaries, and workflow results that is rendered directly in the browser for users to consume.

The core flaw is straightforward: the application failed to properly sanitize output generated by the Duo Agent before injecting it into the page. Because this output is rendered in the browser context of whoever views it, an attacker who could influence the content of Duo Agent output could embed arbitrary JavaScript payloads that would then execute when other users interacted with the rendered content.

Attack Flow

The exploitation path follows a logical sequence:

  1. An authenticated attacker identifies the Duo Agent output rendering surface as accepting unsanitized input.
  2. The attacker crafts a malicious payload containing arbitrary JavaScript and introduces it through a vector that influences Duo Agent output.
  3. The malicious output is stored or reflected through the GitLab EE interface.
  4. When another authenticated user views the page containing the rendered Duo Agent output, the injected JavaScript executes in their browser context.
  5. The attacker's script can then access the victim's session tokens, perform actions on their behalf, or exfiltrate data accessible within the victim's browser session.

CVSS Breakdown

The CNA-assigned CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, yielding a score of 8.7 (High).

MetricValueRationale
Attack VectorNetworkExploitable over the network
Attack ComplexityLowNo advanced conditions required
Privileges RequiredLowAttacker must be authenticated
User InteractionRequiredVictim must view the malicious output
ScopeChangedImpact extends beyond the vulnerable component
ConfidentialityHighSession data and user information at risk
IntegrityHighAttacker can perform actions as the victim
AvailabilityNoneNo direct availability impact

The "Scope: Changed" metric is the key differentiator here. It indicates that successful exploitation crosses a trust boundary: the attacker compromises the Duo Agent rendering component, but the impact manifests in the victim's browser session, potentially affecting other systems and data the victim has access to.

Feature Introduction Timeline

The Duo Agent output rendering feature was introduced in GitLab EE version 18.7. This means the vulnerability has been present in every release from 18.7 onward through the unpatched branches, representing a window of several months during which the unsanitized rendering surface was exposed.

Patch Information

GitLab addressed CVE-2026-6073 in a coordinated security patch release published on May 13, 2026, shipping fixed versions across all three active release branches:

Current BranchFixed Version
18.7 through 18.9.618.9.7
18.10 through 18.10.518.10.6
18.11 through 18.11.218.11.3

GitLab.com was already running the patched version at the time of disclosure, and GitLab Dedicated customers required no action. Self-managed GitLab EE administrators should upgrade to one of the patched versions immediately.

The fix centers on improving input sanitization for content returned by the Duo Agent before it is rendered in the UI. By ensuring that output from the agent is properly escaped or filtered, the patch prevents injected scripts from being interpreted as executable code by the browser. This closes the stored/reflected XSS vector that the unsanitized rendering surface exposed.

The vulnerability was reported by security researcher joaxcar through GitLab's HackerOne bug bounty program. The associated GitLab work item (#596340) remains confidential per GitLab's standard 30-day disclosure policy and is expected to be made public approximately 30 days after the patch release.

Applying these patches also provides additional security benefits. The May 2026 security update addresses other high severity flaws, including unauthenticated Denial of Service vulnerabilities and additional sanitization gaps in the Banzai markdown sanitizer.

Affected Systems and Versions

This vulnerability is specific to GitLab Enterprise Edition and does not affect the Community Edition.

ProductAffected Version RangeFixed Version
GitLab EE18.7 through 18.9.618.9.7
GitLab EE18.10 through 18.10.518.10.6
GitLab EE18.11 through 18.11.218.11.3

The affected version range begins at 18.7, which is the version that introduced the Duo Agent output rendering feature. All subsequent releases through the unpatched branches are vulnerable. GitLab.com (the SaaS offering) and GitLab Dedicated instances were patched at the time of disclosure and are not at risk.

Vendor Security History

GitLab maintains a mature security posture with an active bug bounty program on HackerOne. The company's response to CVE-2026-6073 was consistent with their established disclosure practices: patches were released across multiple version branches simultaneously, clear CVSS scoring rationale was provided in the security advisory, and the work item was kept confidential per their standard 30-day disclosure policy. The May 2026 patch release addressed multiple vulnerabilities in a single coordinated update, including this XSS flaw alongside unauthenticated Denial of Service issues, demonstrating a consolidated approach to security maintenance.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization