GitLab CE/EE — Wiki DoS via insufficient validation of malformed markup (CVSS 6.5)

cve · CVE-2026-1402

Coverage timeline

first 2026-05-29 → last 2026-05-29

Briefs

1 distinct

Sources cited

8 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-05-29CTI Daily Brief — 2026-05-29

Source distribution

attack.mitre.org5 (38%)
advisories.ncsc.nl2 (15%)
docs.gitlab.com1 (8%)
bitdefender.com1 (8%)
maine.gov1 (8%)
prnewswire.com1 (8%)
sentinelone.com1 (8%)
veeam.com1 (8%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (13)

Items in briefs about GitLab CE/EE — Wiki DoS via insufficient validation of malformed markup (CVSS 6.5) (1)

CVE-2026-4868 (+ five further CVEs) — GitLab 19.0.1 / 18.11.4 / 18.10.7 patch release: Duo AI identity impersonation, unauthenticated project enumeration

From CTI Daily Brief — 2026-05-29 · published 2026-05-29 · view item permalink →

GitLab shipped patch versions 19.0.1, 18.11.4 and 18.10.7 on 2026-05-27 closing six CVEs. The most severe is CVE-2026-4868 (CVSS 8.2, CWE-639) — an improper identity-resolution flaw in the GitLab Duo AI integration that allows an authenticated user to impersonate another user when Duo AI workflows are triggered, with the workflow runners executing under the second user's identity. CVE-2026-6713 (CVSS 5.3) lets an unauthenticated attacker enumerate private projects via an incorrect authorization issue in GitLab's GraphQL WorkItem API. Other CVEs in the batch: CVE-2026-1402 (CVSS 6.5, Wiki DoS via malformed markup), CVE-2026-2601 (CVSS 4.3, deployment-data exposure to Developer-role users), CVE-2026-5296 (CVSS 4.3, Developer-role flow-restriction bypass) and CVE-2026-8716 (CVSS 4.3, CI cross-reference data exposure). NCSC-NL advisory NCSC-2026-0168 rates the batch high; CERT-FR / ANSSI carries CERTFR-2026-AVI-0658 as the FR-CERT corroboration. No exploitation reported.