GitLab has issued crucial security updates for its Community and Enterprise Editions, targeting several significant vulnerabilities. The updates, released on May 27, 2026, include versions 19.0.1, 18.11.4, and 18.10.7, and are designed for self-managed instances of the platform. These patches resolve issues across various components including Duo AI, GraphQL APIs, and Wiki, urging administrators to update immediately to protect their systems.
Details of the Security Flaws
The most critical of these vulnerabilities is a high-severity access control issue within Duo AI workflow runners, identified as CVE-2026-4868. This flaw affects GitLab EE versions from 18.8 up to, but not including, 18.10.7, 18.11.4, and 19.0.1. The vulnerability could potentially allow an authenticated user to execute workflows under another user’s identity, posing a risk of privilege escalation within AI-assisted tasks. It has been assigned a CVSS 3.1 score of 8.2, indicating high impact.
Another significant vulnerability, tracked as CVE-2026-1402, affects the Wiki component in both GitLab CE and EE versions 17.1 through unpatched 18.10, 18.11, and 19.0. Due to inadequate input validation, an authenticated user could cause resource exhaustion, leading to Wiki unavailability. This denial-of-service (DoS) vulnerability has a CVSS score of 6.5.
Additional Vulnerabilities and Fixes
The updates also address CVE-2026-6713, an issue with authorization checks in the GraphQL WorkItem API, which could allow unauthorized users to access private project information. This vulnerability has a CVSS rating of 5.3. Several medium-severity authorization issues in the operations and Duo features of GitLab EE have also been corrected. These include CVE-2026-5296, which involves improper authorization in the Duo Workflows API, and CVE-2026-2601, which fixes missing authorization checks exposing sensitive deployment data.
Moreover, CVE-2026-8716 resolves incorrect name resolution behavior in pipelines, and CVE-2026-2710 ensures that blocked Project Access Tokens cannot bypass certain authentication endpoints to access private resources. These fixes are part of the latest patch releases, which also include various stability and performance enhancements.
Implications and Recommendations
GitLab.com users are already protected with these updates, and GitLab Dedicated customers need not take any action. Organizations managing affected versions are strongly encouraged to upgrade promptly, monitor system usage for potential abuse, and adhere to GitLab’s recommended security practices for self-managed deployments. These updates, which do not require new database migrations, support GitLab’s zero-downtime deployment strategy, ensuring smooth and continuous operations.
For those interested in enhancing their API security, a free webinar is available to explore strategies for uncovering shadow APIs and addressing OWASP vulnerabilities in real-time.
