Vulnerability Reportgitlab/gitlab-ce:latest

Name: gitlab/gitlab-ce:19.0.2-ce.0 Security Vulnerability Report
Creator: BaseImage
Keywords: gitlab/gitlab-ce:19.0.2-ce.0, Docker security, vulnerability scan, CVE, container security, SBOM

gitlab/gitlab-ce:latestgitlab/gitlab-ce:rcgitlab/gitlab-ce:19.0.2-ce.0

DIGESTsha256:6ac4993b5b4739b8461c9eb9e04da10438f985652853bb66f0d63ae7a97fdb57

Executive Summary

DANGEROUS

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve unauthorized access to the GitLab instance or spoof legitimate services to intercept sensitive data. The most critical vulnerability, CVE-2026-42010 (severity 9.8), is an authentication bypass in GnuTLS. Note that CVE-2026-42010 requires servers configured with RSA-PSK, and CVE-2026-5260 requires an RSA key backed by a PKCS#11 token; however, other high-severity flaws like CVE-2026-42013 do not specify such configuration requirements. Immediate remediation is mandatory before any production deployment.

Threat Score

100/100

DANGEROUS

The image received a maximum threat score of 100, indicating a critical security posture for production use.
Contains a critical authentication bypass vulnerability (CVE-2026-42010, severity 9.8) that could allow unauthorized access to the GitLab instance.
Multiple high-severity certificate validation bypass flaws (e.g., CVE-2026-42013, severity 8.2; CVE-2026-42011, severity 7.4) can enable spoofing or man-in-the-middle attacks.
A total of 4 exposed surface vulnerabilities rated severity >= 7.0, and 9 with severity >= 6.0, presenting a significant attack surface.
Despite being a popular, reliable community image pinned by digest, the severity and nature of the exposed vulnerabilities are unacceptable for production.

Reputation

RELIABLE

gitlab

POPULAR COMMUNITY

High Reputation Community Image (382M+ pulls)
Pinned by digest (Immutable)

BaseImage/

gitlab/gitlab-ce:latest

Hardened

Grade

A+

Vulns

Verified & secured for production

Vulnerabilities

Vulnerability Log

46 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42010	CRITICAL9.8	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: HIGH
CVE-2026-42013	HIGH8.2	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: HIGH
CVE-2026-42011	HIGH7.4	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: HIGH
CVE-2026-42012	HIGH7.1	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: HIGH
CVE-2026-5260	MEDIUM6.56	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: MEDIUM
CVE-2026-41989	MEDIUM6.38	libgcrypt20 1.10.3-2build1 fixed in 1.10.3-2ubuntu0.1	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-3833	MEDIUM6.29	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-33845	MEDIUM6.18	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42009	MEDIUM6	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: MEDIUM
CVE-2026-4437	MEDIUM5.52	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-4437	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-40226	MEDIUM5.44	libsystemd0 255.4-1ubuntu8.15 fixed in 255.4-1ubuntu8.16	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40226	MEDIUM5.44	libudev1 255.4-1ubuntu8.15 fixed in 255.4-1ubuntu8.16	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-33846	MEDIUM5.1	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	<0.1% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5435	MEDIUM5.02	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5435	MEDIUM5.02	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2024-2236	MEDIUM5.02	libgcrypt20 1.10.3-2build1 No fix yet	0.7% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-34743	MEDIUM4.5	liblzma5 5.6.1+really5.4.5-1ubuntu0.2 fixed in 5.6.1+really5.4.5-1ubuntu0.3	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-42015	MEDIUM4.24	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly ExposedContext importance: MEDIUM
CVE-2021-31879	MEDIUM4.14	wget 1.21.4-1ubuntu4.1 No fix yet	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-27456	MEDIUM4	libblkid1 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libmount1 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libsmartcols1 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-27456	MEDIUM4	libuuid1 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-5419	LOW3.7	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Directly Exposed
CVE-2026-4438	LOW3.4	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-3832	LOW3.15	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-45582	LOW2.86	tar 1.35+dfsg-3build1 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2023-42366	LOW2.8	busybox 1:1.36.1-6ubuntu3.1 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-5704	LOW2.8	tar 1.35+dfsg-3build1 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-40228	LOW2.8	libsystemd0 255.4-1ubuntu8.15 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2026-40228	LOW2.8	libudev1 255.4-1ubuntu8.15 No fix yet	<0.1% Theoretical Threat	Directly Exposed
CVE-2025-60876	LOW2.75	busybox 1:1.36.1-6ubuntu3.1 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-27456	LOW2.4	bsdutils 1:2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-27456	LOW2.4	mount 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-27456	LOW2.4	util-linux 2.39.3-9ubuntu6.5 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2024-56433	LOW2.16	login 1:4.13+dfsg1-4ubuntu3.2 No fix yet	4.5% Low-Moderate Risk	Post-Exploit
CVE-2024-56433	LOW2.16	passwd 1:4.13+dfsg1-4ubuntu3.2 No fix yet	4.5% Low-Moderate Risk	Post-Exploit
CVE-2026-6238	LOW1.99	libc-bin 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2026-6238	LOW1.99	libc6 2.39-0ubuntu8.7 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	busybox 1:1.36.1-6ubuntu3.1 No fix yet	<0.1% Theoretical Threat	Post-Exploit
CVE-2024-58251	NONE0	busybox 1:1.36.1-6ubuntu3.1 No fix yet	<0.1% Theoretical Threat	Not Applicable
CVE-2026-42014	NONE0	libgnutls30t64 3.8.3-1.1ubuntu3.5 fixed in 3.8.3-1.1ubuntu3.6	—	Not Applicable