GitLab has released critical security patches for both its Community Edition (CE) and Enterprise Edition (EE) to mitigate multiple vulnerabilities identified in recent assessments.
Critical Vulnerabilities Addressed
The security updates, encapsulated in versions 18.9.2, 18.8.6, and 18.7.6, tackle a total of 15 security concerns. Among these, the most severe is a Cross-Site Scripting (XSS) vulnerability with a CVSS score of 8.7, identified as CVE-2026-1090. This flaw affects GitLab’s Markdown placeholder processing and can be exploited by authenticated attackers to execute malicious JavaScript, leading to potential unauthorized access or session hijacking.
In addition to the XSS flaw, the update also rectifies three high-severity Denial-of-Service (DoS) vulnerabilities. These include a flaw in the GraphQL API, which allows specially crafted requests to trigger uncontrolled recursion, resulting in resource exhaustion. Another vulnerability involves the repository archive endpoints, and improper JSON payload validation in the protected branches API that could lead to service disruption.
Additional Security Enhancements
Beyond the high-severity issues, GitLab addressed several medium and low-severity bugs. Noteworthy fixes include resolving DoS risks associated with webhook custom headers and endpoints, neutralizing improper CRLF sequences, and correcting access control issues within the runners API. These updates are crucial for preventing unauthorized access to sensitive information and maintaining overall system integrity.
The security patch also addresses information disclosure vulnerabilities affecting confidential issues, ensuring that sensitive data remains protected from potential exposure.
Action Required for Administrators
Administrators of self-managed GitLab instances are advised to update their installations promptly to versions 18.9.2, 18.8.6, or 18.7.6 to safeguard their systems. While single-node setups will experience brief downtime during database migrations, multi-node environments can employ zero-downtime upgrade procedures. Users on GitLab.com and GitLab Dedicated are already secure with the patched versions and need no further action.
GitLab plans to release detailed vulnerability reports on its issue tracker 30 days post-patch release, allowing administrators to stay informed about the issues addressed.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X. For those interested in featuring their stories, feel free to contact us.
