GitLab has announced the release of crucial security updates for its Community Edition (CE) and Enterprise Edition (EE), urging all users to upgrade immediately to address several critical vulnerabilities. These updates, available in versions 18.10.3, 18.9.5, and 18.8.9, are essential to safeguard systems from potential Denial-of-Service (DoS) and code injection attacks.
Critical Vulnerabilities Addressed
The security patches resolve three high-severity vulnerabilities that pose significant risks to GitLab users. The first, identified as CVE-2026-5173 with a CVSS score of 8.5, allows authenticated attackers to execute unauthorized server-side commands via WebSocket connections due to inadequate access controls. Another, CVE-2026-1092 (CVSS 7.5), enables unauthenticated users to initiate a DoS attack by submitting improperly validated JSON data to the Terraform state lock API. Additionally, CVE-2025-12664 (CVSS 7.5) permits attackers without accounts to trigger a DoS condition by overwhelming the server with repeated GraphQL queries.
Medium-Severity Vulnerabilities
In addition to high-severity issues, GitLab has also addressed several medium-level vulnerabilities. These include CVE-2026-1516 (CVSS 5.7), where authenticated users could inject malicious code into Code Quality reports, exposing the IP addresses of others viewing the report. CVE-2026-1403 (CVSS 6.5) highlights weak CSV file validation, allowing users to crash background Sidekiq workers during file import. Furthermore, CVE-2026-4332 (CVSS 5.4) involves inadequate input filtering in analytics dashboards, enabling attackers to execute harmful JavaScript code in other users’ browsers. Lastly, CVE-2026-1101 (CVSS 6.5) points to poor input validation in GraphQL queries, allowing authenticated users to cause a DoS of the entire GitLab instance.
Additional Security Improvements
GitLab’s update also incorporates several lower-severity patches addressing data leaks and access control issues. For instance, CVE-2026-2619 (CVSS 4.3) allowed authenticated users with auditor privileges to modify vulnerability flag data in private projects. CVE-2025-9484 (CVSS 4.3) involved an information disclosure bug that permitted users to view others’ email addresses through specific GraphQL queries. Additionally, CVE-2026-1752 (CVSS 4.3) allowed developers to alter protected environment settings due to improper access controls, while CVE-2026-2104 (CVSS 4.3) and CVE-2026-4916 (CVSS 2.7) involved insufficient authorization checks in CSV exports and custom role management, respectively.
GitLab emphasizes the immediate need for all self-managed installations to upgrade to the specified versions. The updates, which do not necessitate complex database changes, can be applied to multi-node deployments without causing system downtime. Users hosted on GitLab.com or using GitLab Dedicated are already protected, as the company has implemented these patches on its cloud servers.
Stay informed about the latest cybersecurity developments by following us on Google News, LinkedIn, and X. Reach out to us to feature your stories.
