EUVD-2026-36224
GHSA-5cr4-qwvx-32j2
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
AV:N because attack is delivered via email; AC:H per 'certain conditions'; PR:N per description's explicit 'unauthenticated user' language, overriding the conflicting official PR:L; UI:R because victim must view the injected issue content; I:L for content injection only.
Primary rating from Vendor (GitLab).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionNVD
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.
AnalysisAI
Content injection via Service Desk email template processing in GitLab CE/EE allows an unauthenticated attacker to impersonate the GitLab Support Bot and inject arbitrary content into issue threads. The vulnerability affects all GitLab instances running versions from 15.9 through 19.0.1 with the Service Desk feature active, and stems from improper neutralization of substitution characters (CWE-153) in email template rendering. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The GitLab Service Desk feature must be enabled on the target project - this is a non-default, opt-in feature requiring project maintainer or administrator configuration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is constrained by multiple compounding factors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains or enumerates the Service Desk email address for a GitLab project, then crafts a reply email whose body contains template substitution sequences targeting GitLab's internal email renderer. When GitLab processes the inbound email reply under the conditions required to trigger the vulnerability, the template engine evaluates the injected tokens and renders forged content attributed to the GitLab Support Bot identity within the issue thread. … |
| Remediation | Upgrade to a patched release immediately: GitLab 18.10.8, 18.11.5, or 19.0.2, as documented in the vendor patch advisory at https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18
Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role us
Account takeover in GitLab Enterprise Edition versions 15.5 through 19.0.2 allows an authenticated group Owner to hijack
Denial of service in GitLab CE/EE versions 12.10 through 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 allows un
Uncontrolled resource consumption in GitLab CE/EE's file upload processing pipeline enables any authenticated user to tr
Share
External POC / Exploit Code
Leaving vuln.today