Gitlab Vulnerability (CVE-2026-1090)

Overview

A high-severity security vulnerability has been identified in GitLab Community Edition (CE) and Enterprise Edition (EE). Tracked as CVE-2026-1090, this flaw could allow an attacker to execute malicious JavaScript code in a victim’s web browser, potentially compromising user sessions and data.

Vulnerability Details

This is a Cross-Site Scripting (XSS) vulnerability within GitLab’s markdown processing feature. Specifically, the issue exists when a specific feature flag, named markdown_placeholders, is enabled on the instance. Under this condition, GitLab did not properly sanitize (clean) placeholder content entered into markdown fields. An authenticated user-anyone with a valid login-could exploit this by injecting malicious scripts into markdown content, such as in issues, merge requests, or comments.

Impact and Risk

With a high CVSS score of 8.7, this vulnerability poses a significant risk. Successful exploitation could allow an attacker to:

• Hijack user sessions by stealing authentication cookies.
• Perform actions on behalf of the victim without their consent.
• Deface pages or redirect users to malicious websites.
• Potentially access sensitive data visible in the user’s browser session.

This could lead to a serious data breach or system compromise. For more on the consequences of such incidents, recent data breach reports are available at breach reports.

Affected Versions

The vulnerability impacts multiple versions of GitLab CE/EE:

• All versions starting from 10.6 up to, but not including, 18.7.6
• All versions of 18.8 up to, but not including, 18.8.6
• All versions of 18.9 up to, but not including, 18.9.2

Remediation and Mitigation

The primary and most critical action is to update your GitLab installation immediately to a patched version.

Immediate Action:

1. Upgrade GitLab to one of the following secure versions:
   • GitLab 18.7.6
   • GitLab 18.8.6
   • GitLab 18.9.2 or later Follow the official GitLab upgrade instructions.

Temporary Mitigation (if immediate upgrade is not possible):

• Disable the feature flag. Administrators can disable the markdown_placeholders feature flag system-wide. This will prevent exploitation of this specific vulnerability but may affect functionality for users relying on this feature.
  • This can be done via the GitLab Rails console: Feature.disable(:markdown_placeholders)

All administrators should prioritize applying these updates. For ongoing updates on such critical vulnerabilities, follow the latest developments at security news.