GitLab Fixes DoS, Code Injection, and Access Control Flaws in Self-Managed Instances
GitLab released security updates for Community Edition and Enterprise Edition in versions 18.10.3, 18.9.5, and 18.8.9, patching multiple vulnerabilities that affect self-managed deployments and urging administrators to upgrade immediately. The fixes address high-severity issues including a websocket access control flaw, denial-of-service conditions, and unintended server-side command execution tied to vulnerabilities such as CVE-2026-5173, CVE-2026-1092, and CVE-2025-12664.
The release also resolves medium- and low-severity weaknesses involving code injection, cross-site scripting, GraphQL-related denial of service, CSV import and export handling, authorization bypasses, and information disclosure affecting private projects, protected environments, and custom roles. GitLab said some affected code paths date back to versions as old as 11.3 and 12.10, while GitLab.com and GitLab Dedicated are already protected; the company added that the patches require no new migrations and can be applied to multi-node deployments without downtime, although Omnibus packages still restart services during updates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
GitLab confirms hosted services already received the fixes
GitLab stated that GitLab.com was already running the patched version and that GitLab Dedicated customers did not need to take action, indicating the fixes had already been deployed to hosted infrastructure. The company also noted the updates required no new migrations and should not require downtime for multi-node deployments.
GitLab releases security patches for CE and EE versions 18.10.3, 18.9.5, and 18.8.9
On April 8, 2026, GitLab published patch releases 18.10.3, 18.9.5, and 18.8.9 for Community Edition and Enterprise Edition to fix multiple security vulnerabilities and bug fixes affecting self-managed deployments. GitLab urged all self-managed customers to upgrade immediately.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Warning: 11 new vulnerabilities in GitLab CE and EE editions, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourceGitLab Security Update Fixes CVE-2026-5173 Flaw
thecyberexpress.com
Open sourceGitLab Patches Multiple Vulnerabilities That Enables DoS and Code Injection Attacks
cybersecuritynews.com
Open sourceGitLab Patch Release: 18.10.3, 18.9.5, 18.8.9 | GitLab
about.gitlab.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitLab Patches XSS and Unauthenticated DoS Flaws in Self-Managed CE and EE
GitLab issued emergency security updates for self-managed Community Edition and Enterprise Edition instances to fix multiple high-severity vulnerabilities, including several cross-site scripting (**XSS**) flaws and unauthenticated denial-of-service (**DoS**) issues. The XSS bugs could allow attackers to run malicious JavaScript in users’ browsers, potentially leading to session hijacking, token theft, and repository manipulation, while the DoS flaws could disrupt CI/CD pipelines and broader workflow operations. The affected products are GitLab CE and EE versions earlier than `18.11.3`, `18.10.6`, and `18.9.7`, and administrators were urged to review GitLab’s release guidance and upgrade immediately to those patched versions. GitLab said its cloud-hosted platforms had already been remediated, while self-hosted operators were warned that single-node upgrades require downtime because of database migrations, whereas multi-node deployments can follow standard zero-downtime upgrade procedures.
May 14, 2026
GitLab Security Update Fixes Web IDE Token Theft and DoS Vulnerabilities
GitLab released security updates for *Community Edition (CE)* and *Enterprise Edition (EE)*, shipping patched versions **18.8.4**, **18.7.4**, and **18.6.6** for self-managed deployments (with GitLab.com already remediated). The most severe issue, **CVE-2025-7659** (CVSS **8.0**), was attributed to *incomplete validation* in the **Web IDE** that could allow an **unauthenticated** attacker to steal access tokens and use them to access **private repositories**. The same release also addressed multiple high-severity availability and client-side issues, including **CVE-2025-8099** (CVSS **7.5**) enabling **DoS** via repeated/complex **GraphQL** queries and **CVE-2026-0958** (CVSS **7.5**) enabling resource exhaustion by bypassing **JSON validation middleware** limits. Additional fixes included CPU-exhaustion vectors involving specially crafted **Markdown** processing (e.g., **CVE-2026-1456** and **CVE-2026-1458**) and an **XSS** issue in code flow functionality (**CVE-2025-14560**, CVSS **7.3**) that could enable malicious script execution in a victim’s browser session.
Mar 21, 2026
GitLab patches 11 flaws including account takeover and XSS in CE and EE
GitLab released **19.0.2**, **18.11.5**, and **18.10.8** for self-managed Community Edition and Enterprise Edition deployments to fix **11 security vulnerabilities** and additional bugs, and urged administrators to upgrade immediately. The advisory says all versions before those releases are affected, while **GitLab.com** has already been patched and **GitLab Dedicated** customers do not need to take action. GitLab also warned that the update includes database migrations that may cause downtime on single-node instances, though multi-node environments can use zero-downtime upgrade procedures. The most severe issue, **`CVE-2026-6552`** (**CVSS 8.7**), is an improper authorization flaw in GitLab EE's Group SAML identity management that could let an authenticated **group Owner** take over another group member's account under certain conditions. GitLab also fixed **`CVE-2026-10087`**, an Analytics Dashboard cross-site scripting flaw in GitLab EE that could allow an authenticated **developer** to execute arbitrary client-side code in a victim's browser. The broader patch set addresses additional risks including denial of service in Grape API JSON parsing, SSRF, unauthorized access to confidential data, and other authorization bypasses, and government and vendor advisories have called on organizations to apply the patched versions.
Jun 11, 2026