CVE-2026-8589

Published Jun 11, 2026

Last updated 3 days ago

CVSS high 7.3

Overview

Description: GitLab has remediated an issue in GitLab EE affecting all versions from 13.1.4 before 18.10.8, 18.11 before 18.11.5, and 19.0 before 19.0.2 that under certain conditions could have allowed an authenticated user to add unauthorized email addresses to a targeted user's account due to improper sanitization of user-supplied input in certain group setting fields.
Source: cve@gitlab.com
NVD status: Analyzed
Products: gitlab

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.7
Impact score: 5.8
Exploitability score: 2.3
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Severity: HIGH

Weaknesses

cve@gitlab.com: CWE-79

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
            "matchCriteriaId": "6BD9809B-9486-4D2B-A0D0-8E567AF86754",
            "versionEndExcluding": "18.10.8",
            "versionStartIncluding": "13.1.4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "BA1FE381-79F3-49A7-89DC-3EC71D9A2FA2",
            "versionEndExcluding": "18.10.8",
            "versionStartIncluding": "13.1.4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
            "matchCriteriaId": "D3442E29-F164-40E0-B972-F0EEE8ED4FD1",
            "versionEndExcluding": "18.11.5",
            "versionStartIncluding": "18.11.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "7FB0D7FE-9A4F-45D8-B564-31DF9F2F4066",
            "versionEndExcluding": "18.11.5",
            "versionStartIncluding": "18.11.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:community:*:*:*",
            "matchCriteriaId": "A6FAB200-DFB3-42FC-A901-8E5C0A3CA706",
            "versionEndExcluding": "19.0.2",
            "versionStartIncluding": "19.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:gitlab:gitlab:*:*:*:*:enterprise:*:*:*",
            "matchCriteriaId": "1A666CA8-8D31-4765-87ED-D0F56E9DAFF0",
            "versionEndExcluding": "19.0.2",
            "versionStartIncluding": "19.0.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References