CVE-2026-9694 | GitLab has remediated an issue in GitLab CE/EE affecting all… | CVSS 2.6 LOW

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions, could have allowed an unauthenticated user to impersonate the GitLab Support Bot and inject arbitrary content via a specially crafted Service Desk email reply due to improper neutralization in email template processing.

Metadata

CVE ID: CVE-2026-9694
State: PUBLISHED
Assigner: GitLab
Reserved: 2026-05-27 11:03 UTC
Published: 2026-06-11 10:19 UTC
Last updated: 2026-06-11 12:38 UTC
Primary CWE: CWE-153
CWE-153: Improper Neutralization of Substitution Characters
Vendor / Product: GitLab / GitLab
Sources: cve.org · NVD

Severity & Metrics

2.6 LOW CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
GitLab	GitLab	—	15.9 < 18.10.8, 18.11 < 18.11.5, 19.0 < 19.0.2

Weakness (CWE)

CWE	Source	Description
CWE-153	cna	CWE-153: Improper Neutralization of Substitution Characters

CVSS scores (1)

Score	Severity	Version	Source	Vector
2.6	LOW	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

References (3)

https://gitlab.com/gitlab-org/gitlab/-/work_items/601330
HackerOne Bug Bounty Report #3685720 https://hackerone.com/reports/3685720
https://about.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/