How is CVE-2026-8589 exploited?

Network reachability (required): The attacker must reach the GitLab EE web interface over the network; there is no local or physical access requirement. Authentication (required): An admin or privileged account is needed; low-privilege access alone is not sufficient to reach the vulnerable group setting fields. Victim interaction (required): A targeted user must interact with the injected content (for example, visit the affected page) for the malicious script to execute in their browser. Attack complexity (info): Exploit success depends on specific environmental or timing conditions, such as the target visiting the affected group settings page while the payload is active.

What is the impact of CVE-2026-8589?

Reads session tokens or authentication credentials from the victim's browser context. Injects unauthorized email addresses into the targeted user's GitLab account, enabling account takeover or notification hijacking. Modifies account-level settings on behalf of the victim by scripting actions within their authenticated session.

Back to search

HIGHCVE-2026-8589Published 2026-06-11Modified 2026-06-11CNA GitLab

CVE-2026-8589: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper sanitization of user-supplied input in certain group setting fields.

CVSS v3.1: 7.3
Severity: HIGH
Fixed in: 18.10.8
Affected Products: 1

HarborGuard Analysis

Synopsis

A stored cross-site scripting (XSS) vulnerability affects GitLab EE versions from 13.1.4 up to the fix releases. The flaw is reachable over the network and requires an admin-level account plus a victim's interaction to trigger, derived from the CVSS vector. Successful exploitation allows an authenticated attacker to inject malicious script content that runs in a targeted user's browser, enabling unauthorized email address injection into that user's account and exposing sensitive data. Patched-image rebuilds at versions 18.10.8, 18.11.5, and 19.0.2 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built GitLab EE images. Any image layer carrying an affected GitLab EE version between 13.1.4 and the fix releases is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.3 HIGH and weights it against each environment's compliance policy to surface it at the appropriate severity tier. Triage findings are routed to the team inbox configured inside each customer org based on image ownership and policy rules.

Available

Patch

A patched-image rebuild at versions 18.10.8, 18.11.5, or 19.0.2 (matching the affected release line) is available for customer environments running an affected image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the GitLab EE web interface over the network; there is no local or physical access requirement.
AuthenticationRequired
An admin or privileged account is needed; low-privilege access alone is not sufficient to reach the vulnerable group setting fields.
Victim interactionRequired
A targeted user must interact with the injected content (for example, visit the affected page) for the malicious script to execute in their browser.
Attack complexityDetail
Exploit success depends on specific environmental or timing conditions, such as the target visiting the affected group settings page while the payload is active.

Blast Radius

Reads session tokens or authentication credentials from the victim's browser context.
Injects unauthorized email addresses into the targeted user's GitLab account, enabling account takeover or notification hijacking.
Modifies account-level settings on behalf of the victim by scripting actions within their authenticated session.

How HarborGuard Handles This

Available on HarborGuard: images containing affected GitLab EE versions (13.1.4 through pre-fix releases) are matched against this CVE within minutes of ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate fix version (18.10.8, 18.11.5, or 19.0.2 depending on the release line in use), runs a regression test pass, and opens a pull request against affected workloads. Where compliance policy permits, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who manage patching manually will find the flagged images and recommended fix versions surfaced in their HarborGuard dashboard, with CVSS scoring and compliance-policy weighting applied to help prioritize remediation against other open findings.

See how HarborGuard automates this

Fix available

18.10.818.11.519.0.2

Affected packages

GitLab / GitLab
< 18.10.8 (from 13.1.4) · < 18.11.5 (from 18.11) · < 19.0.2 (from 19.0)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available