EUVD-2026-36228
GHSA-7mq5-3vcf-v96v
Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Developer-role authentication (PR:L), specific undisclosed file-naming conditions (AC:H), and passive reviewer interaction (UI:R) are all required; integrity impact from hidden code changes (I:L) with no availability effect.
Primary rating from Vendor (GitLab).
CVSS VectorVendor: GitLab
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.
AnalysisAI
Merge request diff manipulation in GitLab CE/EE allows authenticated users with developer-role permissions to hide file changes from code reviewers by exploiting improper input handling of file names, undermining the integrity of the code review process. Publicly available exploit code exists via HackerOne report #3638136 (tagged 'exploit' in vendor references), though no confirmed active exploitation has been recorded in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at minimum a developer-role membership within the target GitLab project (PR:L - authenticated low-privilege); unauthenticated or guest/reporter-role users cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 3.7 materially understates the practical security impact for organizations that rely on GitLab merge request reviews as a code-quality or security gatekeeping control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer with legitimate repository access crafts a merge request containing one or more files whose names exploit the improper input handling to cause GitLab's diff view to omit or misrepresent those files' changes when a reviewer inspects the MR. The reviewer, seeing an apparently complete and innocuous diff, approves the merge request, while the hidden code modifications - potentially malicious backdoors, dependency tampering, or authorization bypasses - are silently merged into the target branch. … |
| Remediation | Upgrade self-managed GitLab CE/EE instances to 18.10.8, 18.11.5, or 19.0.2 as documented in the vendor patch release at https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting and account integrity abuse in GitLab Enterprise Edition versions 13.1.4 through 18.10.7, 18
Stored cross-site scripting in GitLab Enterprise Edition's Analytics Dashboard allows an authenticated developer-role us
Account takeover in GitLab Enterprise Edition versions 15.5 through 19.0.2 allows an authenticated group Owner to hijack
Denial of service in GitLab CE/EE versions 12.10 through 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 allows un
Uncontrolled resource consumption in GitLab CE/EE's file upload processing pipeline enables any authenticated user to tr
Share
External POC / Exploit Code
Leaving vuln.today