CVE-2026-8589: 
GitLab Analyse et atténuation des vulnérabilités

CVE-2026-8589 is a Cross-Site Scripting (XSS) vulnerability in GitLab EE and CE that, under certain conditions, allows an authenticated user to add unauthorized email addresses to a targeted user's account by exploiting improper sanitization of user-supplied input in certain group setting fields. It affects GitLab versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 (both Community and Enterprise editions). The vulnerability was published on June 11, 2026, and was reported via HackerOne. It carries a CVSS v3.1 base score of 8.7 (High) per NVD, though the GitHub Advisory Database scores it at 7.3 (High) with stricter attack complexity and privilege requirements (GitHub Advisory, GitLab Patch Release).

The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation — Cross-Site Scripting), arising from insufficient sanitization of user-supplied input in certain GitLab group setting fields. An authenticated attacker with low privileges can craft malicious input in these fields that, when rendered in a victim's browser session (requiring user interaction), enables the attacker to add unauthorized email addresses to the targeted user's account. The attack vector is network-based, and exploitation requires the victim to interact with attacker-controlled content, consistent with a stored or reflected XSS scenario. The vulnerability was disclosed via HackerOne report #3722842 and tracked internally at GitLab work item #600099 (GitHub Advisory).

Successful exploitation allows an authenticated attacker to add unauthorized email addresses to another user's GitLab account, which can be leveraged to take over that account (e.g., via password reset flows sent to the attacker-controlled email). The scope change in the CVSS vector indicates that the impact extends beyond the attacker's own account to affect other users' accounts, with high confidentiality and integrity impact. Availability is not directly affected, but account compromise could enable lateral movement within GitLab projects, unauthorized code access, and supply chain risks (GitHub Advisory, GitLab Patch Release).

1. Reconnaissance: Identify a target GitLab EE/CE instance running a vulnerable version (13.1.4–18.10.7, 18.11.0–18.11.4, or 19.0.0–19.0.1) and obtain a low-privileged authenticated account.
2. Identify vulnerable group setting fields: Navigate to a GitLab group's settings page and locate input fields that accept user-supplied content and are rendered without proper sanitization.
3. Craft malicious XSS payload: Insert a crafted payload into the vulnerable group setting field designed to execute JavaScript in the context of a victim user's browser session when they view the affected group settings.
4. Trigger victim interaction: Lure the target user (e.g., a group owner or admin) to visit the group settings page containing the malicious payload, causing the script to execute in their browser.
5. Add unauthorized email address: The executed script leverages the victim's authenticated session to make an API or form request to add an attacker-controlled email address to the victim's GitLab account.
6. Account takeover: Use the newly added email address to initiate a password reset for the victim's account, gaining full control (GitHub Advisory).

• Logs: GitLab application logs showing unexpected POST requests to user email management endpoints (e.g., /profile/emails) originating from unusual IP addresses or during sessions where the user was viewing group settings pages.
• Logs: Audit log entries in GitLab showing email addresses added to user accounts that were not initiated by the account owner, particularly if correlated with group settings page visits.
• Network: Outbound requests from a victim's browser to attacker-controlled domains (e.g., for XSS payload callbacks or data exfiltration) originating from GitLab page contexts.
• Application: Unexpected email addresses appearing in user account profiles, especially addresses not associated with the account owner's organization domain.
• Application: Password reset emails sent to email addresses not recognized by the account owner, indicating a newly added attacker-controlled address was used.

GitLab has released patched versions addressing this vulnerability: 18.10.8, 18.11.5, and 19.0.2. All GitLab EE and CE administrators running affected versions (13.1.4 through the unpatched releases) should upgrade to the appropriate fixed version immediately. As a complementary measure, restrict group settings modification to trusted administrators and monitor GitLab audit logs for unexpected email address additions to user accounts. No specific configuration-based workaround has been published by GitLab (GitLab Patch Release, GitHub Advisory).

Security news outlets including SecurityOnline, GBHackers, and CyberPress covered the GitLab patch release as part of broader reporting on multiple vulnerabilities fixed in the June 2026 patch cycle. UnderCodeNews highlighted the release under a headline emphasizing high-severity vulnerabilities affecting development workflows. No notable individual researcher commentary or significant social media debate specific to CVE-2026-8589 has been observed beyond standard vulnerability aggregation and reporting.