{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1094", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "state": "PUBLISHED", "assignerShortName": "GitLab", "dateReserved": "2026-01-16T21:33:12.365Z", "datePublished": "2026-02-11T11:04:35.229Z", "dateUpdated": "2026-02-11T21:18:35.282Z"}, "containers": {"cna": {"title": "Improper Validation of Unsafe Equivalence in Input in GitLab", "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI."}], "affected": [{"vendor": "GitLab", "product": "GitLab", "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "cpes": ["cpe:2.3:a:gitlab:gitaly:*:*:*:*:*:*:*:*"], "versions": [{"version": "18.8", "status": "affected", "lessThan": "18.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input", "cweId": "CWE-1289", "type": "CWE"}]}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/586483", "name": "GitLab Issue #586483", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/3502519", "name": "HackerOne Bug Bounty Report #3502519", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM"}}], "solutions": [{"lang": "en", "value": "Upgrade to version 18.8.4 or above."}], "credits": [{"lang": "en", "value": "Thanks [u3mur4](https://hackerone.com/u3mur4) for reporting this vulnerability through our HackerOne bug bounty program", "type": "finder"}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-02-11T11:04:35.229Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T21:18:29.521757Z", "id": "CVE-2026-1094", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:18:35.282Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1094", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T21:18:29.521757Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T21:18:32.874Z"}}], "cna": {"title": "Improper Validation of Unsafe Equivalence in Input in GitLab", "credits": [{"lang": "en", "type": "finder", "value": "Thanks [u3mur4](https://hackerone.com/u3mur4) for reporting this vulnerability through our HackerOne bug bounty program"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:gitlab:gitaly:*:*:*:*:*:*:*:*"], "repo": "git://git@gitlab.com:gitlab-org/gitlab.git", "vendor": "GitLab", "product": "GitLab", "versions": [{"status": "affected", "version": "18.8", "lessThan": "18.8.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 18.8.4 or above."}], "references": [{"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/586483", "name": "GitLab Issue #586483", "tags": ["issue-tracking", "permissions-required"]}, {"url": "https://hackerone.com/reports/3502519", "name": "HackerOne Bug Bounty Report #3502519", "tags": ["technical-description", "exploit", "permissions-required"]}, {"url": "https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/"}], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1289", "description": "CWE-1289: Improper Validation of Unsafe Equivalence in Input"}]}], "providerMetadata": {"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "shortName": "GitLab", "dateUpdated": "2026-02-11T11:04:35.229Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1094", "state": "PUBLISHED", "dateUpdated": "2026-02-11T21:18:35.282Z", "dateReserved": "2026-01-16T21:33:12.365Z", "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a", "datePublished": "2026-02-11T11:04:35.229Z", "assignerShortName": "GitLab"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*", "matchCriteriaId": "BCEB62DB-0D85-4A21-99C4-6235CA97A795", "versionEndExcluding": "18.8.4", "versionStartIncluding": "18.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "6D01D64A-0619-427D-B351-4101FC257674", "versionEndExcluding": "18.8.4", "versionStartIncluding": "18.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.8 before 18.8.4 that could have allowed an authenticated developer to hide specially crafted file changes from the WebUI."}], "id": "CVE-2026-1094", "lastModified": "2026-02-12T21:19:23.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "cve@gitlab.com", "type": "Secondary"}]}, "published": "2026-02-11T12:16:04.263", "references": [{"source": "cve@gitlab.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://about.gitlab.com/releases/2026/02/10/patch-release-gitlab-18-8-4-released/"}, {"source": "cve@gitlab.com", "tags": ["Broken Link", "Issue Tracking"], "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/586483"}, {"source": "cve@gitlab.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/3502519"}], "sourceIdentifier": "cve@gitlab.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1289"}], "source": "cve@gitlab.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "product": "gitaly", "vendor": "gitlab"}], "analysis": {"en": {"generated_at": "2026-04-18T12:41:18.076163+00:00", "value": {"mitigation_remediation": ["Upgrade GitLab to version 18.8.4 or newer as recommended by the vendor.", "Verify that all existing merge requests and commits are free of hidden changes before applying the patch to prevent persistence of unauthorized modifications.", "After the upgrade, enforce strict code review and merge request workflows to restrict developer permissions on sensitive repositories."], "summary": {"action": "Apply Patch", "impact": "Hidden file changes by an authenticated developer"}, "threat_synthesis": {"affected_systems": "Both GitLab Community Edition and Enterprise Edition are impacted, specifically all releases from 18.8 up to but not including 18.8.4. Users running any of these versions should examine their installations to determine whether they are within this range.\n", "description_and_impact": "GitLab versions prior to 18.8.4 contain a flaw that improperly validates unsafe equivalence in user input, allowing an authenticated developer to conceal specially crafted file changes from the WebUI. This weakness, identified as CWE\u20111289, can enable developers to hide modifications to repository contents, impacting the integrity of displayed code and potentially allowing the persistence of unauthorized changes.", "risk_and_exploitability": "The overall CVSS score of 4.6 places the vulnerability in the moderate range, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation. The vulnerability is not in the CISA KEV catalog. The attack vector requires an insider credential with developer-level access; the attacker must be authenticated to the GitLab instance and possess permissions to commit changes. Given the limited scope, the risk is primarily to the integrity of code visible through the WebUI."}}}}, "created": "2026-02-11T21:45:47.156806+00:00", "updated": "2026-04-18T12:45:45.673103+00:00", "vendors": ["gitlab", "gitlab$PRODUCT$gitaly"]}