ZeroPath at Black Hat USA 2026

GitLab EE CVE-2026-7481: Brief Summary of a High Severity Stored XSS in Analytics Dashboard Charts

A short review of CVE-2026-7481, a stored Cross-Site Scripting vulnerability in GitLab Enterprise Edition's Analytics dashboard chart rendering, along with patch details and affected version ranges.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-14

GitLab EE CVE-2026-7481: Brief Summary of a High Severity Stored XSS in Analytics Dashboard Charts
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A stored Cross-Site Scripting flaw in GitLab Enterprise Edition's Analytics dashboard chart rendering allowed any authenticated developer to plant JavaScript payloads that would fire in the browsers of colleagues viewing the same dashboard. With a CVSS 3.1 score of 8.7 and a scope change that puts victim session confidentiality and integrity at risk, CVE-2026-7481 is a vulnerability that self-managed GitLab administrators should patch without delay.

Technical Information

Root Cause

The vulnerability is rooted in CWE-79: Improper Neutralization of Input During Web Page Generation. Within GitLab EE's Analytics dashboard, chart configurations accept user-controlled input. That input flows into the chart rendering pipeline and ultimately into the HTML served to any user who views the dashboard. The problem is straightforward: the application did not sanitize these values before rendering them, creating a classic stored XSS injection point.

Because the payload is stored server-side (in the chart configuration) and rendered to every subsequent viewer, this is a stored (persistent) XSS rather than a reflected one. The persistence amplifies the impact considerably; the attacker does not need to trick each victim into clicking a crafted link. They simply modify a dashboard chart, and every user who navigates to that Analytics page becomes a target.

CVSS 3.1 Breakdown

The assigned vector is AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, which breaks down as follows:

MetricValueOperational Implication
Attack VectorNetworkExploitable remotely over the network.
Attack ComplexityLowNo advanced conditions are required to exploit.
Privileges RequiredLowAttacker needs a developer role account.
User InteractionRequiredVictim must view the crafted dashboard.
ScopeChangedThe script executes in the victim's browser context, crossing a trust boundary.
ConfidentialityHighHigh risk of sensitive data exposure, including session tokens.
IntegrityHighHigh risk of unauthorized modifications via the victim's session.
AvailabilityNoneDoes not directly cause denial of service.

The Scope: Changed designation is the key detail here. It means the vulnerable component (the GitLab server-side rendering) and the impacted component (the victim's browser session) are distinct security authorities. A successful exploit compromises both confidentiality and integrity of the victim's authenticated session, potentially enabling session hijacking, data exfiltration, or privilege escalation if the victim holds a higher role than the attacker.

Attack Flow

Based on the available advisory information, exploitation follows this sequence:

  1. The attacker authenticates to a GitLab EE instance with at least developer-role permissions on a project or group.
  2. The attacker navigates to the Analytics dashboard and modifies a chart configuration, injecting a JavaScript payload into a field that is not properly sanitized.
  3. The malicious chart configuration is saved server-side.
  4. When another user (potentially an administrator or maintainer) views the same Analytics dashboard, the chart rendering pipeline outputs the attacker's payload directly into the page HTML.
  5. The victim's browser executes the injected JavaScript within the context of their authenticated GitLab session.
  6. The attacker's script can then perform actions such as stealing session cookies, making API calls on behalf of the victim, or exfiltrating sensitive repository and pipeline data.

The insecure code path has existed since GitLab EE version 16.4, meaning this injection vector was present for roughly two years before remediation.

Patch Information

GitLab addressed CVE-2026-7481 in a coordinated security patch release published on May 13, 2026, shipping fixed versions across three release branches:

Release SeriesVulnerable VersionsMinimum Patched Version
18.1118.11 before 18.11.318.11.3
18.1018.10 before 18.10.618.10.6
16.4 to 18.916.4 before 18.9.718.9.7

At its core, the fix introduces proper sanitization of user-controlled values before they reach the chart rendering layer, breaking the injection vector. This follows GitLab's standard backporting approach: the current stable branch receives the patch first, then backports are applied to the two previous minor releases.

GitLab.com (the SaaS offering) was already running the patched version at the time of announcement. GitLab Dedicated customers were not required to take any manual action. Self-managed installations, however, must upgrade to one of the fixed versions listed above.

It is worth noting that the specific source-level code changes (diffs, commits) are not yet publicly visible. GitLab's security policy makes vulnerability issue details and associated merge requests public on their issue tracker 30 days after the patch release. The internal tracking work item (gitlab-org/gitlab#598646) and the corresponding HackerOne report (#3697379, reported by researcher yvvdwf) are both currently restricted. Full technical disclosure is expected around mid-June 2026.

Affected Systems and Versions

The vulnerability affects GitLab Enterprise Edition only. The following version ranges are confirmed vulnerable:

  • All GitLab EE versions from 16.4 up to (but not including) 18.9.7
  • GitLab EE versions 18.10 up to (but not including) 18.10.6
  • GitLab EE versions 18.11 up to (but not including) 18.11.3

GitLab Community Edition is not mentioned in the advisory as affected. GitLab.com (SaaS) has already been patched. GitLab Dedicated instances did not require manual intervention.

Vendor Security History

GitLab maintains a mature and transparent security program. The company operates a public bug bounty program through HackerOne, which is the channel through which CVE-2026-7481 was responsibly reported. GitLab serves as a CVE Numbering Authority (CNA), issuing its own CVE identifiers for vulnerabilities in its products. Their coordinated disclosure process restricts vulnerability details on the GitLab issue tracker for 30 days after a patch ships, giving customers a window to upgrade before full technical details become public. This structured approach to vulnerability management reflects the expectations of an organization whose platform underpins CI/CD pipelines and source code management for a large segment of the software industry.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization