Introduction
A stored Cross-site Scripting vulnerability in GitLab Enterprise Edition's customizable analytics dashboards allows an authenticated developer to plant JavaScript payloads that fire in other users' browser sessions, earning a CVSS score of 8.7. For organizations relying on GitLab EE's analytics features to track engineering metrics and compliance data, this flaw quietly turns a shared dashboard into a delivery mechanism for session hijacking or data exfiltration.
Technical Information
Root Cause
CVE-2026-7377 is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability exists in the customizable analytics dashboards feature of GitLab Enterprise Edition. User controlled data flowing into the dashboard rendering pipeline was not adequately escaped or sanitized before being written to the DOM. This means a specially crafted payload embedded in chart or dashboard configuration data could survive the entire rendering pipeline and execute as live JavaScript when the dashboard was viewed by another user.
CVSS Breakdown
The CVSS 3.1 vector string is AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, which breaks down as follows:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | Low | Authenticated user with developer role |
| User Interaction | Required | Victim must view the dashboard |
| Scope | Changed | Impact extends beyond the vulnerable component |
| Confidentiality | High | Full read access to victim's session context |
| Integrity | High | Ability to modify data in victim's session context |
| Availability | None | No denial of service component |
The "Changed" scope is particularly significant here. The vulnerable component is the analytics dashboard, but the impact lands in the victim's browser, a different security authority. This scope change is what pushes the score to 8.7.
Attack Flow
Based on the available advisory details, the exploitation path follows these steps:
- Initial Access: An attacker authenticates to a GitLab EE instance with at least developer role permissions.
- Payload Injection: The attacker crafts a malicious JavaScript payload and embeds it within the configuration or data fields of a customizable analytics dashboard. The exact injection point is within how charts and dashboards render data.
- Persistence: Because the payload is stored in the dashboard configuration, it persists on the server. This makes it a stored (persistent) XSS rather than a reflected one.
- Trigger: When any other authenticated user navigates to and views the compromised analytics dashboard, the improperly sanitized input is rendered in their browser.
- Execution: The malicious JavaScript executes in the context of the victim's browser session, giving the attacker the ability to steal session tokens, read sensitive page content, or perform actions on behalf of the victim.
The requirement for user interaction (the victim must view the dashboard) is the primary limiting factor. However, analytics dashboards are collaborative by nature, and sharing them across teams is a common workflow, which makes social engineering or passive exploitation straightforward in practice.
Patch Information
GitLab addressed CVE-2026-7377 on May 13, 2026, by shipping three coordinated patch releases for GitLab Enterprise Edition. The core of the fix centers on tightening the input sanitization logic applied to user controlled data flowing into the Analytics Dashboard. Before the patch, data rendered in these customizable dashboards was not adequately escaped or sanitized, meaning specially crafted payloads could survive the rendering pipeline and be injected directly into the DOM. The patch closes this gap by ensuring all user supplied input destined for dashboard rendering passes through proper sanitization filters that neutralize script injection vectors before output.
The fix covers three release branches:
| Affected Range | Fixed Version |
|---|---|
| GitLab EE 18.7 through 18.9.6 | 18.9.7 |
| GitLab EE 18.10 through 18.10.5 | 18.10.6 |
| GitLab EE 18.11 through 18.11.2 | 18.11.3 |
GitLab.com (the SaaS offering) was already running the patched version at the time of the announcement. GitLab Dedicated customers also required no manual action. Self managed installations, however, must upgrade to one of the fixed versions listed above. This applies to all deployment types: omnibus, source code, and helm charts.
The underlying security issue tracker (GitLab work item #598497) and the original HackerOne report (#3659044, submitted by the researcher known as aphantom) remain confidential at this time. Per GitLab's standard 30 day disclosure policy, the detailed issue, including the specific merge requests and code diffs that implement the sanitization fix, will be made public on the GitLab issue tracker approximately 30 days after the patch release.
Affected Systems and Versions
The vulnerability affects GitLab Enterprise Edition only. The specific affected version ranges are:
- GitLab EE versions 18.7 through 18.9.6 (fixed in 18.9.7)
- GitLab EE versions 18.10 through 18.10.5 (fixed in 18.10.6)
- GitLab EE versions 18.11 through 18.11.2 (fixed in 18.11.3)
The vulnerable configuration requires the customizable analytics dashboards feature to be accessible, and exploitation requires an authenticated user with at least developer role permissions.
GitLab.com (SaaS) and GitLab Dedicated instances are not affected, as they were already patched at the time of the advisory.
Vendor Security History
Analytics dashboards appear to be a recurring attack surface for GitLab. In April 2026, GitLab patched another Cross-site Scripting issue in analytics dashboards identified as CVE-2026-4332, which was addressed in the 18.10.3, 18.9.5, and 18.8.9 patch releases. Two XSS vulnerabilities in the same feature area within roughly a month suggests that the analytics rendering pipeline warrants deeper review and focused threat modeling.
GitLab maintains a mature security program, including a well established bug bounty program through HackerOne and a coordinated disclosure process. CVE-2026-7377 was reported through this bug bounty program by researchers aphantom and joaxcar. GitLab also signed the Secure by Design pledge, reflecting their commitment to proactive security practices.
References
- NVD Entry for CVE-2026-7377
- CVE Record: CVE-2026-7377
- GitLab Patch Release: 18.11.3, 18.10.6, 18.9.7
- GitLab Official Release Announcement
- GitLab Work Item #598497 (Confidential)
- HackerOne Report #3659044 (Confidential)
- VulDB Entry for CVE-2026-7377
- SecurityOnline Coverage: GitLab Security Update
- GitLab Coordinated Disclosure Process
- GitLab Secure by Design Pledge Progress
- GitLab Patch Release: 18.10.3 (CVE-2026-4332)



