CVE-2026-8589
HIGH WAF: High
CVSS 8.7
Published: 2026-06-11
CWE-79
GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper sanitization of user-supplied input in certain group setting fields.
WAF Coverage Analysis
Cross-Site Scripting (XSS)
High WAF Coverage
OWASP: A03:2021 Injection
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| gitlab | gitlab | 13.1.4 - 18.10.8 |
| gitlab | gitlab | 13.1.4 - 18.10.8 |
| gitlab | gitlab | 18.11.0 - 18.11.5 |
| gitlab | gitlab | 18.11.0 - 18.11.5 |
| gitlab | gitlab | 19.0.0 - 19.0.2 |
| gitlab | gitlab | 19.0.0 - 19.0.2 |
References
- about.gitlab.com (Release Notes)
- gitlab.com (Issue Tracking)
- hackerone.com (Permissions Required)