Introduction
A stored Cross-Site Scripting flaw in GitLab Enterprise Edition's Analytics dashboard chart rendering allowed any authenticated developer to plant JavaScript payloads that would fire in the browsers of colleagues viewing the same dashboard. With a CVSS 3.1 score of 8.7 and a scope change that puts victim session confidentiality and integrity at risk, CVE-2026-7481 is a vulnerability that self-managed GitLab administrators should patch without delay.
Technical Information
Root Cause
The vulnerability is rooted in CWE-79: Improper Neutralization of Input During Web Page Generation. Within GitLab EE's Analytics dashboard, chart configurations accept user-controlled input. That input flows into the chart rendering pipeline and ultimately into the HTML served to any user who views the dashboard. The problem is straightforward: the application did not sanitize these values before rendering them, creating a classic stored XSS injection point.
Because the payload is stored server-side (in the chart configuration) and rendered to every subsequent viewer, this is a stored (persistent) XSS rather than a reflected one. The persistence amplifies the impact considerably; the attacker does not need to trick each victim into clicking a crafted link. They simply modify a dashboard chart, and every user who navigates to that Analytics page becomes a target.
CVSS 3.1 Breakdown
The assigned vector is AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, which breaks down as follows:
| Metric | Value | Operational Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network. |
| Attack Complexity | Low | No advanced conditions are required to exploit. |
| Privileges Required | Low | Attacker needs a developer role account. |
| User Interaction | Required | Victim must view the crafted dashboard. |
| Scope | Changed | The script executes in the victim's browser context, crossing a trust boundary. |
| Confidentiality | High | High risk of sensitive data exposure, including session tokens. |
| Integrity | High | High risk of unauthorized modifications via the victim's session. |
| Availability | None | Does not directly cause denial of service. |
The Scope: Changed designation is the key detail here. It means the vulnerable component (the GitLab server-side rendering) and the impacted component (the victim's browser session) are distinct security authorities. A successful exploit compromises both confidentiality and integrity of the victim's authenticated session, potentially enabling session hijacking, data exfiltration, or privilege escalation if the victim holds a higher role than the attacker.
Attack Flow
Based on the available advisory information, exploitation follows this sequence:
- The attacker authenticates to a GitLab EE instance with at least developer-role permissions on a project or group.
- The attacker navigates to the Analytics dashboard and modifies a chart configuration, injecting a JavaScript payload into a field that is not properly sanitized.
- The malicious chart configuration is saved server-side.
- When another user (potentially an administrator or maintainer) views the same Analytics dashboard, the chart rendering pipeline outputs the attacker's payload directly into the page HTML.
- The victim's browser executes the injected JavaScript within the context of their authenticated GitLab session.
- The attacker's script can then perform actions such as stealing session cookies, making API calls on behalf of the victim, or exfiltrating sensitive repository and pipeline data.
The insecure code path has existed since GitLab EE version 16.4, meaning this injection vector was present for roughly two years before remediation.
Patch Information
GitLab addressed CVE-2026-7481 in a coordinated security patch release published on May 13, 2026, shipping fixed versions across three release branches:
| Release Series | Vulnerable Versions | Minimum Patched Version |
|---|---|---|
| 18.11 | 18.11 before 18.11.3 | 18.11.3 |
| 18.10 | 18.10 before 18.10.6 | 18.10.6 |
| 16.4 to 18.9 | 16.4 before 18.9.7 | 18.9.7 |
At its core, the fix introduces proper sanitization of user-controlled values before they reach the chart rendering layer, breaking the injection vector. This follows GitLab's standard backporting approach: the current stable branch receives the patch first, then backports are applied to the two previous minor releases.
GitLab.com (the SaaS offering) was already running the patched version at the time of announcement. GitLab Dedicated customers were not required to take any manual action. Self-managed installations, however, must upgrade to one of the fixed versions listed above.
It is worth noting that the specific source-level code changes (diffs, commits) are not yet publicly visible. GitLab's security policy makes vulnerability issue details and associated merge requests public on their issue tracker 30 days after the patch release. The internal tracking work item (gitlab-org/gitlab#598646) and the corresponding HackerOne report (#3697379, reported by researcher yvvdwf) are both currently restricted. Full technical disclosure is expected around mid-June 2026.
Affected Systems and Versions
The vulnerability affects GitLab Enterprise Edition only. The following version ranges are confirmed vulnerable:
- All GitLab EE versions from 16.4 up to (but not including) 18.9.7
- GitLab EE versions 18.10 up to (but not including) 18.10.6
- GitLab EE versions 18.11 up to (but not including) 18.11.3
GitLab Community Edition is not mentioned in the advisory as affected. GitLab.com (SaaS) has already been patched. GitLab Dedicated instances did not require manual intervention.
Vendor Security History
GitLab maintains a mature and transparent security program. The company operates a public bug bounty program through HackerOne, which is the channel through which CVE-2026-7481 was responsibly reported. GitLab serves as a CVE Numbering Authority (CNA), issuing its own CVE identifiers for vulnerabilities in its products. Their coordinated disclosure process restricts vulnerability details on the GitLab issue tracker for 30 days after a patch ships, giving customers a window to upgrade before full technical details become public. This structured approach to vulnerability management reflects the expectations of an organization whose platform underpins CI/CD pipelines and source code management for a large segment of the software industry.
References
- NVD: CVE-2026-7481
- CVE Record: CVE-2026-7481
- GitLab Patch Release: 18.11.3, 18.10.6, 18.9.7
- GitLab Official Release Announcement
- GitLab Work Item #598646 (restricted)
- HackerOne Report #3697379 (restricted)
- GitHub Advisory: GHSA-4qfp-7g23-rwjx
- SecurityOnline: GitLab Security Update
- GitLab Coordinated Disclosure Policy



