CVE-2026-51893: GitLab SAML deserialization yields unauth RCE

CVE-2026-51893 is an unauthenticated remote-code-execution bug in GitLab EE's SAML single-sign-on flow. On a subset of code paths, GitLab's SAML response consumer deserializes the AttributeStatement via a YAML loader before validating the SAML response signature. A crafted SAML response containing an !ruby/object:-tagged attribute value triggers Ruby object instantiation — and from there, a gadget chain that executes arbitrary shell commands as the GitLab service account. No authentication required; only a reachable GitLab instance with SAML SSO enabled.

Why this is a supply-chain-scale bug

GitLab EE self-hosted instances run the SDLC for hundreds of thousands of organizations. An unauthenticated RCE against GitLab means source code exfiltration, CI/CD token theft, artifact-registry poisoning, and persistent access to the target's entire engineering surface. SAML SSO is the enterprise-default setup, making almost every large GitLab install affected.

The exploit path:

• Attacker sends an unsolicited SAML response to /users/auth/saml/callback. GitLab accepts unsolicited responses by default (SAML spec allows it; implementations often disable).
• Response contains an AttributeStatement with a custom attribute whose value is !ruby/object:Gem::Installer with crafted installation parameters.
• The vulnerable code path calls YAML.load (not YAML.safe_load) on the attribute before reaching validate_signature.
• Object instantiation triggers the gadget chain. GitLab shell runs as git user on Omnibus, or as the pod's service account on Helm chart.

"Deserialize before you validate" is the oldest SAML anti-pattern. It keeps showing up because SAML libraries encourage treating the response as opaque XML until processing — but responses always contain processable data that implementations want to act on early.

Who is exposed

• Self-hosted GitLab EE 16.8 through 17.1.2 with SAML SSO configured. GitLab.com SaaS was patched April 15 (pre-disclosure).
• Internet-facing GitLab instances — Shodan shows ~18,000 reachable GitLab EE login pages; roughly half have SAML endpoints exposed.
• Internal GitLab behind VPN/ZTNA — still exposed if any internal user's workstation is compromised. Lateral movement primitive.
• SAML identity provider is not the attack surface: the bug is in GitLab's response parsing, not the IdP. Even if your Okta / Entra is hardened, GitLab is still vulnerable.

Mitigation

Upgrade. Fixed versions: 17.1.3, 17.0.5, 16.11.7, 16.10.9. GitLab Omnibus and Helm charts updated in parallel.

Temporary mitigations if an upgrade window is hours away, not minutes:

• Disable SAML SSO in GitLab Admin → Settings → Sign-in Restrictions. Falls back to username/password or existing sessions.
• Block /users/auth/saml/callback at the reverse proxy for unsolicited requests — reject requests without a matching session cookie and recent AuthnRequest ID. Requires WAF / proxy that can correlate.
• Rotate all GitLab personal access tokens proactively if the instance has been reachable since April 14 (earliest observed exploitation). Ransomware operators and initial-access brokers are both actively scanning.
• Artifact folder includes a Zeek script that flags SAML responses containing !ruby/object: tags — cheap detection at the network edge.

The broader pattern

YAML-deserialization bugs in SAML / OAuth / OpenID code paths have been a recurring class since 2017 — Rails CVE-2013-0156 set the template. Every few years a new implementation falls into it. The fix is structural: SAML and OIDC libraries should only return trusted data to the application after signature validation, and should never expose a "parse attributes before validating" API. GitLab's 17.1.3 patch does that — but the surface area is large, and expect at least one more CVE of this shape in the next 18 months across other Ruby-on-Rails-based SaaS platforms.