CVE-2026-10087: GitLab EE Stored XSS via Developer Role

Executive Summary

CVE-2026-10087 is a stored cross-site scripting (XSS) vulnerability in GitLab Enterprise Edition (EE) with a CVSS score of 8.7 (High). Under certain conditions, an authenticated user with Developer-role permissions can inject and execute arbitrary client-side JavaScript code on behalf of other users — including maintainers, owners, and administrators. The vulnerability affects all GitLab EE versions from 17.1 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2.

Vulnerability Details

Field	Details
CVE	CVE-2026-10087
CVSS Score	8.7 (High)
Type	Stored Cross-Site Scripting (XSS)
Product	GitLab Enterprise Edition (EE)
Affected Versions	17.1 before 18.10.8; 18.11 before 18.11.5; 19.0 before 19.0.2
Fixed Versions	18.10.8, 18.11.5, 19.0.2
Authentication Required	Yes (Developer role)
Attack Vector	Network
Scope	Changed (impacts users of higher privilege)
Impact	Arbitrary client-side code execution as other users

Technical Analysis

Vulnerability Class

This is a stored XSS vulnerability — malicious script content is persisted in GitLab's backend and subsequently rendered in victim users' browsers without proper sanitization or encoding. Stored XSS is generally considered more severe than reflected XSS because the attack does not require tricking a victim into clicking a crafted URL; once the payload is stored, any user who views the affected content is automatically attacked.

Attack Conditions

The vulnerability is exploitable when:

An attacker holds at minimum a Developer role on a GitLab EE instance
The attacker crafts and submits content containing a malicious script payload to a vulnerable GitLab EE feature
A victim user (potentially with elevated privileges) views the affected content in their browser
GitLab EE renders the stored content without adequate sanitization

Impact

A successful exploit allows the attacker's JavaScript to run in the security context of the victim's active GitLab session. Depending on the victim's role and permissions, this could enable:

Session token theft — stealing session cookies (if not HttpOnly) to hijack the account
API calls as the victim — creating/deleting repositories, modifying CI/CD pipelines, exfiltrating source code, adding SSH keys or access tokens
Privilege escalation — using a maintainer or owner account to perform actions beyond the attacker's direct permissions
Supply chain risk — if a pipeline owner is targeted, the attacker could modify CI/CD configurations to inject malicious code into builds

The Changed scope (from Developer to higher-privilege users) is what elevates this beyond a typical same-role impact scenario.

Affected Environments

Any organization running GitLab Enterprise Edition in the affected version ranges and granting Developer access to users who are not fully trusted is potentially at risk. This includes:

Self-managed GitLab EE deployments (cloud, on-premises, or hybrid)
Organizations with external contributors, contractors, or less-trusted internal developers
Environments where internal GitLab content is reviewed or accessed by administrators

GitLab.com (SaaS) is patched and maintained by GitLab — only self-managed EE instances require action.

Remediation

Immediate Fix

Upgrade GitLab EE to a patched version immediately:

Current Version	Upgrade Target
17.1 – 18.10.7	18.10.8 or later
18.11.0 – 18.11.4	18.11.5 or later
19.0.0 – 19.0.1	19.0.2 or later

Follow GitLab's official upgrade documentation for your deployment method (Omnibus, Docker, Helm/Kubernetes).

Temporary Mitigations

If immediate upgrade is not feasible:

Restrict Developer access — Audit who holds Developer-level permissions; reduce to Reporters or Guests for less-trusted users until patching is complete
Restrict content rendering — Review if any GitLab EE-specific rendering features can be temporarily disabled
Increase monitoring — Alert on unusual API activity, especially from Developer-role accounts during off-hours

Post-Patch Review

Audit recent Developer-role activity — Review GitLab audit logs for unusual actions by Developer-level accounts prior to patching
Check for injected content — Search project content, wiki pages, snippets, and comments for known XSS payload patterns
Rotate sensitive tokens — If any maintainer or owner accounts may have been compromised, rotate personal access tokens, deploy keys, and CI/CD variables
Review CI/CD pipelines — Inspect recently modified pipeline configurations for unauthorized changes

Detection

# Check your GitLab EE version
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
 
# Or via the API
curl -H "PRIVATE-TOKEN: <your_token>" https://<your-gitlab>/api/v4/version

Monitor GitLab audit logs for:

Unusual API calls from Developer-level accounts
Mass repository cloning or CI variable access
New SSH key or access token creation by unexpected users

References

Executive Summary

Vulnerability Details

Field	Details
CVE	CVE-2026-10087
CVSS Score	8.7 (High)
Type	Stored Cross-Site Scripting (XSS)
Product	GitLab Enterprise Edition (EE)
Affected Versions	17.1 before 18.10.8; 18.11 before 18.11.5; 19.0 before 19.0.2
Fixed Versions	18.10.8, 18.11.5, 19.0.2
Authentication Required	Yes (Developer role)
Attack Vector	Network
Scope	Changed (impacts users of higher privilege)
Impact	Arbitrary client-side code execution as other users

Technical Analysis

Vulnerability Class

Attack Conditions

The vulnerability is exploitable when:

An attacker holds at minimum a Developer role on a GitLab EE instance
The attacker crafts and submits content containing a malicious script payload to a vulnerable GitLab EE feature
A victim user (potentially with elevated privileges) views the affected content in their browser
GitLab EE renders the stored content without adequate sanitization

Impact

A successful exploit allows the attacker's JavaScript to run in the security context of the victim's active GitLab session. Depending on the victim's role and permissions, this could enable:

Session token theft — stealing session cookies (if not HttpOnly) to hijack the account
API calls as the victim — creating/deleting repositories, modifying CI/CD pipelines, exfiltrating source code, adding SSH keys or access tokens
Privilege escalation — using a maintainer or owner account to perform actions beyond the attacker's direct permissions
Supply chain risk — if a pipeline owner is targeted, the attacker could modify CI/CD configurations to inject malicious code into builds

The Changed scope (from Developer to higher-privilege users) is what elevates this beyond a typical same-role impact scenario.

Affected Environments

Any organization running GitLab Enterprise Edition in the affected version ranges and granting Developer access to users who are not fully trusted is potentially at risk. This includes:

Self-managed GitLab EE deployments (cloud, on-premises, or hybrid)
Organizations with external contributors, contractors, or less-trusted internal developers
Environments where internal GitLab content is reviewed or accessed by administrators

GitLab.com (SaaS) is patched and maintained by GitLab — only self-managed EE instances require action.

Remediation

Immediate Fix

Upgrade GitLab EE to a patched version immediately:

Current Version	Upgrade Target
17.1 – 18.10.7	18.10.8 or later
18.11.0 – 18.11.4	18.11.5 or later
19.0.0 – 19.0.1	19.0.2 or later

Follow GitLab's official upgrade documentation for your deployment method (Omnibus, Docker, Helm/Kubernetes).

Temporary Mitigations

If immediate upgrade is not feasible:

Restrict Developer access — Audit who holds Developer-level permissions; reduce to Reporters or Guests for less-trusted users until patching is complete
Restrict content rendering — Review if any GitLab EE-specific rendering features can be temporarily disabled
Increase monitoring — Alert on unusual API activity, especially from Developer-role accounts during off-hours

Post-Patch Review

Audit recent Developer-role activity — Review GitLab audit logs for unusual actions by Developer-level accounts prior to patching
Check for injected content — Search project content, wiki pages, snippets, and comments for known XSS payload patterns
Rotate sensitive tokens — If any maintainer or owner accounts may have been compromised, rotate personal access tokens, deploy keys, and CI/CD variables
Review CI/CD pipelines — Inspect recently modified pipeline configurations for unauthorized changes

Detection

# Check your GitLab EE version
sudo gitlab-rake gitlab:env:info | grep "GitLab information" -A 5
 
# Or via the API
curl -H "PRIVATE-TOKEN: <your_token>" https://<your-gitlab>/api/v4/version

Monitor GitLab audit logs for:

Unusual API calls from Developer-level accounts
Mass repository cloning or CI variable access
New SSH key or access token creation by unexpected users

CVE-2026-10087: GitLab EE Stored XSS via Developer Role

Affected Products

Executive Summary

Vulnerability Details

Technical Analysis

Vulnerability Class

Attack Conditions

Impact

Affected Environments

Remediation

Immediate Fix

Temporary Mitigations

Post-Patch Review

Detection

References

CVE-2015-20118: Stored XSS in RealtyScript 4.0.2 Admin

CVE-2026-5513: Bookly WordPress Plugin Stored XSS via Cookie

CVE-2026-44990: sanitize-html XMP Element XSS Bypass (CVSS 9.3)

CVE-2026-10087: GitLab EE Stored XSS via Developer Role

Affected Products

Executive Summary

Vulnerability Details

Technical Analysis

Vulnerability Class

Attack Conditions

Impact

Affected Environments

Remediation

Immediate Fix

Temporary Mitigations

Post-Patch Review

Detection

References

CVE-2015-20118: Stored XSS in RealtyScript 4.0.2 Admin

CVE-2026-5513: Bookly WordPress Plugin Stored XSS via Cookie

CVE-2026-44990: sanitize-html XMP Element XSS Bypass (CVSS 9.3)