CVE-2026-1230

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-1230
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1230.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-1230
Aliases
Downstream
Published
2026-03-11T16:05:00.849Z
Modified
2026-04-10T05:37:54.663420Z
Severity
  • 4.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N CVSS Calculator
Summary
Use of Incorrectly-Resolved Name or Reference in GitLab
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 1.0 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to cause repository downloads to contain different code than displayed in the web interface due to incorrect validation of branch references under certain circumstances.

Database specific 
{
    "cna_assigner": "GitLab",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/1xxx/CVE-2026-1230.json",
    "cwe_ids": [
        "CWE-706"
    ]
}
References

Affected packages

Git / gitlab.com/gitlab-org/gitlab

Affected ranges

Type
GIT
Repo
https://gitlab.com/gitlab-org/gitlab
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4ff507582a71b3fee0ef5a34e7ab583281391758
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4ff507582a71b3fee0ef5a34e7ab583281391758
Introduced
1010a9b2b769993080ce8399fd25e77c54e1ad1c
Fixed
5831acc89ce4c662f751bb062d1df3bcf2b8cb4e
Introduced
1010a9b2b769993080ce8399fd25e77c54e1ad1c
Fixed
5831acc89ce4c662f751bb062d1df3bcf2b8cb4e
Introduced
20fe49b575fedd2b8cadc2c0640178879854aeb3
Fixed
fcb80522240b3ea1821ac6c2d52b00159bcda5a6
Introduced
20fe49b575fedd2b8cadc2c0640178879854aeb3
Fixed
fcb80522240b3ea1821ac6c2d52b00159bcda5a6
Database specific 
{
    "versions": [
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "18.7.6"
        },
        {
            "introduced": "1.0.0"
        },
        {
            "fixed": "18.7.6"
        },
        {
            "introduced": "18.8.0"
        },
        {
            "fixed": "18.8.6"
        },
        {
            "introduced": "18.8.0"
        },
        {
            "fixed": "18.8.6"
        },
        {
            "introduced": "18.9.0"
        },
        {
            "fixed": "18.9.2"
        },
        {
            "introduced": "18.9.0"
        },
        {
            "fixed": "18.9.2"
        }
    ]
}

Affected versions

Other
11-10-0cfa69752d8-0d9531c80-ee
11-10-0cfa69752d8-74ffd66ae-ee
11-10-119f9509d50-6d7537235-ee
v1.*
v1.2.0
v1.2.0pre
v1.2.1
v1.2.2
v18.*
v18.7.0-ee
v18.7.0-rc42-ee
v18.7.0-rc43-ee
v18.7.3-ee
v18.8.0-ee
v18.8.1-ee
v18.8.3-ee
v18.9.0-ee
v2.*
v2.3.0
v2.3.0pre
v2.3.1
v2.4.0
v2.4.0pre
v2.4.1
v2.5.0
v2.6.0
v2.6.0pre
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.0pre
v2.8.0
v2.8.0pre
v2.8.1
v2.8.2
v2.9.0
v2.9.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v4.*
v4.0.0
v4.0.0rc1
v4.0.0rc2
v5.*
v5.0.0
v5.1.0
v5.2.0
v6.*
v6.0.0-ee
v6.0.0-ee.beta
v6.0.0-ee.rc1
v6.1.0-ee
v6.3.0-ee
v6.3.1-ee
v6.4.0-ee
v6.5.0-ee
v6.6.0-ee
v6.7.0-ee
v6.7.0.rc1-ee
v6.8.0-ee
v7.*
v7.0.0-ee
v7.1.0-ee
v7.1.0.rc1-ee
v7.2.0.rc1-ee
v7.2.0.rc2-ee
v7.2.0.rc3-ee
v7.2.0.rc4-ee
v7.2.0.rc5-ee
v7.3.0-ee
v7.3.0.rc1-ee

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-1230.json"