CVE-2026-6976 — Authorization Bypass Through User-Controlled Key in GitLab

Description

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.9 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user with developer-role permissions to hide changes from merge request diff views due to improper input handling of file names.

How to fix CVE-2026-6976

To remediate CVE-2026-6976, upgrade the affected package to a fixed version below.

Bitnami/gitlab—upgrade to 18.10.8 or later

Is CVE-2026-6976 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-6976.

Affected packages (1)

>= 15.9.0, < 18.10.8, >= 18.11.0, < 18.11.5, >= 19.0.0, < 19.0.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N

References (4)

WEBabout.gitlab.com/releases/2026/06/10/patch-release-gitlab-19-0-2-released/
WEBgitlab.com/gitlab-org/gitlab/-/work_items/598165
WEBhackerone.com/reports/3638136
WEBnvd.nist.gov/vuln/detail/CVE-2026-6976