GitLab Security Update Fixes Web IDE Token Theft and DoS Vulnerabilities
GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), shipping patched versions 18.8.4, 18.7.4, and 18.6.6 for self-managed deployments (with GitLab.com already remediated). The most severe issue, CVE-2025-7659 (CVSS 8.0), was attributed to incomplete validation in the Web IDE that could allow an unauthenticated attacker to steal access tokens and use them to access private repositories.
The same release also addressed multiple high-severity availability and client-side issues, including CVE-2025-8099 (CVSS 7.5) enabling DoS via repeated/complex GraphQL queries and CVE-2026-0958 (CVSS 7.5) enabling resource exhaustion by bypassing JSON validation middleware limits. Additional fixes included CPU-exhaustion vectors involving specially crafted Markdown processing (e.g., CVE-2026-1456 and CVE-2026-1458) and an XSS issue in code flow functionality (CVE-2025-14560, CVSS 7.3) that could enable malicious script execution in a victim’s browser session.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Belgium CCB warns of multiple high-criticality GitLab vulnerabilities
On 2026-02-13, Belgium's Centre for Cybersecurity published an advisory warning about multiple high-criticality vulnerabilities in GitLab CE/EE and calling for immediate patching. This reflects broader government amplification of GitLab's February 10 security release.
Canadian Centre for Cyber Security urges users to apply GitLab updates
On 2026-02-11, the Canadian Centre for Cyber Security issued advisory AV26-114 referencing GitLab's February 10 security advisory. It urged users and administrators to review GitLab's guidance and apply patch versions 18.8.4, 18.7.4, and 18.6.6.
GitLab discloses CVE-2025-7659 and other key flaws in advisory
GitLab's advisory identified CVE-2025-7659 as the most severe issue, a Web IDE incomplete validation flaw that could let an unauthenticated attacker steal access tokens and access private repositories. The advisory also described additional DoS, XSS, HTML injection, and related vulnerabilities, and noted GitLab.com was already patched while some self-managed upgrades may involve database-migration downtime.
GitLab releases security patches for CE and EE vulnerabilities
On 2026-02-10, GitLab published patch releases 18.8.4, 18.7.4, and 18.6.6 for Community Edition and Enterprise Edition, urging self-managed customers to upgrade immediately. The fixes addressed 13 vulnerabilities, including high-severity issues affecting the Web IDE, denial-of-service conditions, XSS, HTML injection, SSRF, and other validation and authorization flaws.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Warning: Multiple high criticality vulnerabilities in GitLab CC/EE, Patch Immediately! | CCB Safeonweb
ccb.belgium.be
Open sourceGitLab security advisory (AV26-114) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceGitLab Patches Multiple Vulnerabilities That Enables DoS and Cross-site Scripting Attacks
cybersecuritynews.com
Open sourceGitLab Patch Alert: High-Severity Web IDE Flaw Exposes Private Repos
securityonline.info
Open sourceGitLab Patch Release: 18.8.4, 18.7.4, 18.6.6 | GitLab
about.gitlab.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitLab Patches XSS and API Denial-of-Service Vulnerabilities in CE/EE
GitLab released security updates for **GitLab Community Edition (CE)** and **Enterprise Edition (EE)**, shipping patched versions **18.9.2**, **18.8.6**, and **18.7.6** to address multiple vulnerabilities affecting self-managed deployments. The Canadian Centre for Cyber Security issued advisory **AV26-222** urging organizations to review GitLab’s upstream advisory and apply the updates for any instances running versions prior to those releases. The update fixes **15 security issues**, including a high-severity **XSS** vulnerability (**CVE-2026-1090**, CVSS 8.7) in Markdown placeholder processing when the relevant feature flag is enabled, which could allow an authenticated attacker to inject malicious JavaScript into a victim’s browser. GitLab also addressed several **denial-of-service** conditions, including issues impacting the **GraphQL API** (resource exhaustion via recursion), repository archive endpoints, and JSON payload validation in the protected branches API; additional fixes include webhook-related DoS risks (e.g., **CVE-2025-13690**, **CVE-2025-12576**) and a **CRLF sequence** handling issue (**CVE-2026-3848**).
Mar 27, 2026
GitLab Fixes DoS, Code Injection, and Access Control Flaws in Self-Managed Instances
GitLab released security updates for Community Edition and Enterprise Edition in versions **18.10.3**, **18.9.5**, and **18.8.9**, patching multiple vulnerabilities that affect self-managed deployments and urging administrators to upgrade immediately. The fixes address high-severity issues including a websocket access control flaw, denial-of-service conditions, and unintended server-side command execution tied to vulnerabilities such as `CVE-2026-5173`, `CVE-2026-1092`, and `CVE-2025-12664`. The release also resolves medium- and low-severity weaknesses involving code injection, cross-site scripting, GraphQL-related denial of service, CSV import and export handling, authorization bypasses, and information disclosure affecting private projects, protected environments, and custom roles. GitLab said some affected code paths date back to versions as old as 11.3 and 12.10, while **GitLab.com** and **GitLab Dedicated** are already protected; the company added that the patches require no new migrations and can be applied to multi-node deployments without downtime, although Omnibus packages still restart services during updates.
Apr 24, 2026
GitLab Patches High-Severity 2FA Bypass and DoS Vulnerabilities in CE/EE
GitLab released security updates for self-managed **GitLab Community Edition (CE)** and **Enterprise Edition (EE)** to fix a high-severity **two-factor authentication (2FA) bypass** and multiple **denial-of-service (DoS)** flaws. The most significant issue, **CVE-2026-0723** (CVSS 7.4), is an *unchecked return value* weakness in authentication services that could allow an attacker with knowledge of a victim’s credential/account ID to bypass 2FA by submitting forged device responses. GitLab also patched DoS vulnerabilities affecting unauthenticated and authenticated scenarios, including crafted malformed authentication data against the **Jira Connect** integration (**CVE-2025-13927**), incorrect authorization validation in API endpoints such as the **Releases API** (**CVE-2025-13928**), malformed Wiki documents that bypass cycle detection (**CVE-2025-13335**), and repeated malformed SSH authentication requests (**CVE-2026-1102**). Fixed releases are **18.8.2**, **18.7.2**, and **18.6.4**; GitLab advised administrators to upgrade immediately, noting *GitLab.com* is already patched, while third-party tracking indicated thousands of exposed GitLab CE instances remain online and potentially at risk if unpatched.
Mar 21, 2026