CVE-2026-0752
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject arbitrary scripts into GitLab's Mermaid diagram sandbox UI, potentially leading to cross-site scripting (XSS) attacks. It affects all GitLab Community Edition and Enterprise Edition installations running vulnerable versions. The attack requires specific conditions but can be executed without authentication.
💻 Affected Systems
- GitLab Community Edition
- GitLab Enterprise Edition
📦 What is this software?
Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →Gitlab by Gitlab
GitLab is a complete DevOps platform providing source code management, CI/CD pipelines, security scanning, container registry, and collaboration tools used by millions of developers and thousands of enterprises worldwide. As both a cloud-hosted SaaS offering (GitLab.com) and self-managed software, G...
Learn more about Gitlab →⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover via session hijacking, data exfiltration, or deployment of malicious code to other users through persistent XSS payloads.
Likely Case
Session hijacking of authenticated users, credential theft via phishing, or limited data exposure from users who interact with malicious diagrams.
If Mitigated
Minimal impact if proper Content Security Policies (CSP) are enforced and users have script-blocking browser extensions, though some risk remains.
🎯 Exploit Status
Exploitation requires specific conditions in the Mermaid sandbox UI but has been demonstrated in HackerOne reports. No public exploit code is available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.7.5, 18.8.5, or 18.9.1
Vendor Advisory: https://about.gitlab.com/releases/2026/02/25/patch-release-gitlab-18-9-1-released/
Restart Required: Yes
Instructions:
1. Backup your GitLab instance. 2. Update to GitLab 18.7.5, 18.8.5, or 18.9.1 using your package manager (apt/yum). 3. Run 'gitlab-ctl reconfigure'. 4. Restart GitLab services with 'gitlab-ctl restart'.
🔧 Temporary Workarounds
Disable Mermaid diagram rendering
linuxTemporarily disable Mermaid diagram functionality to prevent exploitation
gitlab-rails runner "ApplicationSetting.current.update!(mermaid_enabled: false)"
Enforce strict Content Security Policy
linuxAdd CSP headers to block inline scripts and restrict script sources
Add to /etc/gitlab/gitlab.rb: nginx['custom_gitlab_server_config'] = "add_header Content-Security-Policy \"default-src 'self'; script-src 'self' 'unsafe-inline' https:;\" always;"
🧯 If You Can't Patch
- Implement network segmentation to restrict GitLab instance access to trusted users only
- Deploy a web application firewall (WAF) with XSS protection rules enabled
🔍 How to Verify
Check if Vulnerable:
Check GitLab version with: cat /opt/gitlab/version-manifest.txt | grep gitlab-ce or gitlab-eeCheck Version:
cat /opt/gitlab/version-manifest.txt | grep gitlabVerify Fix Applied:
Confirm version is 18.7.5, 18.8.5, or 18.9.1+ using same command, then test Mermaid diagram functionality works without script injection📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Mermaid-related endpoints
- JavaScript payloads in diagram data parameters
- Error logs containing script injection attempts
Network Indicators:
- HTTP requests with encoded script tags in diagram parameters
- Outbound connections to suspicious domains from GitLab instance
SIEM Query:
source="gitlab.log" AND ("mermaid" OR "diagram") AND ("script" OR "javascript:" OR "onerror=")