CVE-2026-1606
Received
Received - Intake
Authenticated Content Concealment in GitLab Snippets
Publication date: 2026-06-25
Last updated on: 2026-06-25
Assigner: GitLab Inc.
Description
Description
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.8 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user to conceal content within a Snippet due to improper input validation.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitlab | gitlab_ce | From 14.8 (inc) to 18.11.6 (exc) |
| gitlab | gitlab_ee | From 14.8 (inc) to 18.11.6 (exc) |
| gitlab | gitlab_ce | From 19.0 (inc) to 19.0.3 (exc) |
| gitlab | gitlab_ee | From 19.0 (inc) to 19.0.3 (exc) |
| gitlab | gitlab_ce | From 19.1 (inc) to 19.1.1 (exc) |
| gitlab | gitlab_ee | From 19.1 (inc) to 19.1.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
