CVE-2026-0752 in Community Edition
Summary
by MITRE • 02/25/2026
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.2 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that under certain circumstances, could have allowed an unauthenticated user to inject arbitrary scripts into the Mermaid sandbox UI.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/02/2026
This vulnerability exists within GitLab's Mermaid diagram rendering functionality where unauthenticated users could potentially inject malicious scripts into the sandboxed user interface. The flaw specifically affects versions prior to the mentioned patches across multiple release branches, creating a persistent security risk that could be exploited without requiring authentication credentials. The Mermaid rendering system is designed to visualize diagrams and flowcharts from text descriptions, but in this case the sandboxing mechanism failed to properly sanitize user input, creating an injection vector for cross-site scripting attacks.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the Mermaid rendering component. When users submit diagram code that includes malicious script tags or other harmful content, the application fails to adequately filter or escape these inputs before rendering them in the browser environment. This represents a classic cross-site scripting vulnerability where the attacker can leverage the Mermaid UI to execute arbitrary JavaScript code in the context of other users' browsers. The vulnerability is particularly concerning because it operates without authentication requirements, making it accessible to any user who can interact with the GitLab instance's diagram rendering features.
The operational impact of this vulnerability extends beyond simple script injection, as it could enable attackers to perform session hijacking, steal sensitive information, or redirect users to malicious websites. Attackers could potentially use this vulnerability to escalate privileges by accessing user sessions or to create persistent backdoors within the GitLab environment. The fact that this affects multiple version ranges indicates a widespread exposure across the GitLab product line, suggesting that organizations running these vulnerable versions may have been at risk for an extended period. This vulnerability directly maps to CWE-79 which describes Cross-Site Scripting flaws, and could be categorized under ATT&CK technique T1059.007 for script injection attacks.
Organizations should immediately upgrade to the patched versions mentioned in the advisory to remediate this vulnerability. The patching process should include thorough testing of the Mermaid functionality to ensure that legitimate diagram rendering continues to work properly while the security vulnerability is addressed. Additional mitigations should include implementing web application firewalls that can detect and block malicious script injection attempts, monitoring for suspicious diagram code submissions, and restricting access to diagram rendering features where possible. Security teams should also conduct comprehensive audits of all user-facing components that process untrusted input to identify similar vulnerabilities in other parts of the GitLab platform or associated applications.