CVE-2026-5262
Unauthorized Token Access via Input Validation Flaw in GitLab Storybook
Publication date: 2026-04-22
Last updated on: 2026-04-23
Assigner: GitLab Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab | From 18.10.0 (inc) to 18.10.4 (exc) |
| gitlab | gitlab | From 18.10.0 (inc) to 18.10.4 (exc) |
| gitlab | gitlab | From 16.1.0 (inc) to 18.9.6 (exc) |
| gitlab | gitlab | From 16.1.0 (inc) to 18.9.6 (exc) |
| gitlab | gitlab | 18.11.0 |
| gitlab | gitlab | 18.11.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GitLab CE/EE versions from 16.1.0 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 could allow an unauthenticated user to access tokens in the Storybook development environment. The issue arises due to improper input validation under certain conditions.
How can this vulnerability impact me? :
The vulnerability could allow an unauthenticated attacker to gain access to sensitive tokens within the Storybook development environment. This could lead to unauthorized access to protected resources or services, potentially compromising confidentiality and integrity of data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade GitLab CE/EE to a fixed version. Specifically, update to version 18.9.6 or later if you are using the 18.9 series, 18.10.4 or later for the 18.10 series, or 18.11.1 or later for the 18.11 series. These versions contain the fix for the improper input validation issue that could allow unauthenticated access to tokens in the Storybook development environment.