GitLab patches 11 flaws including account takeover and XSS in CE and EE
GitLab released 19.0.2, 18.11.5, and 18.10.8 for self-managed Community Edition and Enterprise Edition deployments to fix 11 security vulnerabilities and additional bugs, and urged administrators to upgrade immediately. The advisory says all versions before those releases are affected, while GitLab.com has already been patched and GitLab Dedicated customers do not need to take action. GitLab also warned that the update includes database migrations that may cause downtime on single-node instances, though multi-node environments can use zero-downtime upgrade procedures.
The most severe issue, CVE-2026-6552 (CVSS 8.7), is an improper authorization flaw in GitLab EE's Group SAML identity management that could let an authenticated group Owner take over another group member's account under certain conditions. GitLab also fixed CVE-2026-10087, an Analytics Dashboard cross-site scripting flaw in GitLab EE that could allow an authenticated developer to execute arbitrary client-side code in a victim's browser. The broader patch set addresses additional risks including denial of service in Grape API JSON parsing, SSRF, unauthorized access to confidential data, and other authorization bypasses, and government and vendor advisories have called on organizations to apply the patched versions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security highlights GitLab advisory
On 2026-06-11, the Canadian Centre for Cyber Security issued alert AV26-588 highlighting GitLab's June 10 security advisory. It recommended that users and administrators review the advisory and update affected GitLab systems.
GitLab discloses CVE-2026-8589 group settings XSS flaw
GitLab disclosed CVE-2026-8589, an improper input neutralization flaw affecting GitLab EE and corresponding package ranges that could let an authenticated user add unauthorized email addresses to a targeted user's account under certain conditions. The issue was fixed in versions 18.10.8, 18.11.5, and 19.0.2.
GitLab discloses CVE-2026-10087 Analytics Dashboard XSS flaw
GitLab disclosed CVE-2026-10087, an Analytics Dashboard input sanitization flaw in GitLab EE that could allow a developer-level authenticated user to execute arbitrary client-side code in a targeted user's browser under certain conditions. The vulnerability affects versions before 18.10.8, 18.11.5, and 19.0.2 and was fixed in the June 2026 patch release.
GitLab releases 19.0.2, 18.11.5, and 18.10.8 security patches
On 2026-06-10, GitLab released GitLab CE/EE versions 19.0.2, 18.11.5, and 18.10.8 to fix 11 vulnerabilities and bug issues, and urged self-managed customers to upgrade immediately. GitLab said GitLab.com was already patched and that GitLab Dedicated customers did not need to take action.
GitLab discloses CVE-2026-6552 account takeover vulnerability
GitLab disclosed CVE-2026-6552, an improper authorization flaw in GitLab EE Group SAML identity management that could let a group Owner take over another group member's account under certain conditions. The issue affects versions before 18.10.8, 18.11.5, and 19.0.2 and was remediated in the patch release.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
GitLab security advisory (AV26-588) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-6552 - Authorization Bypass Through User-Controlled Key in GitLab
cvefeed.io
Open sourceCVE-2026-10087 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
cvefeed.io
Open sourceCVE-2026-8589 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
cvefeed.io
Open sourceGitLab Patch Release: 19.0.2, 18.11.5, 18.10.8 | GitLab Docs
docs.gitlab.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitLab Patches XSS and API Denial-of-Service Vulnerabilities in CE/EE
GitLab released security updates for **GitLab Community Edition (CE)** and **Enterprise Edition (EE)**, shipping patched versions **18.9.2**, **18.8.6**, and **18.7.6** to address multiple vulnerabilities affecting self-managed deployments. The Canadian Centre for Cyber Security issued advisory **AV26-222** urging organizations to review GitLab’s upstream advisory and apply the updates for any instances running versions prior to those releases. The update fixes **15 security issues**, including a high-severity **XSS** vulnerability (**CVE-2026-1090**, CVSS 8.7) in Markdown placeholder processing when the relevant feature flag is enabled, which could allow an authenticated attacker to inject malicious JavaScript into a victim’s browser. GitLab also addressed several **denial-of-service** conditions, including issues impacting the **GraphQL API** (resource exhaustion via recursion), repository archive endpoints, and JSON payload validation in the protected branches API; additional fixes include webhook-related DoS risks (e.g., **CVE-2025-13690**, **CVE-2025-12576**) and a **CRLF sequence** handling issue (**CVE-2026-3848**).
Mar 27, 2026
GitLab Patches XSS and Unauthenticated DoS Flaws in Self-Managed CE and EE
GitLab issued emergency security updates for self-managed Community Edition and Enterprise Edition instances to fix multiple high-severity vulnerabilities, including several cross-site scripting (**XSS**) flaws and unauthenticated denial-of-service (**DoS**) issues. The XSS bugs could allow attackers to run malicious JavaScript in users’ browsers, potentially leading to session hijacking, token theft, and repository manipulation, while the DoS flaws could disrupt CI/CD pipelines and broader workflow operations. The affected products are GitLab CE and EE versions earlier than `18.11.3`, `18.10.6`, and `18.9.7`, and administrators were urged to review GitLab’s release guidance and upgrade immediately to those patched versions. GitLab said its cloud-hosted platforms had already been remediated, while self-hosted operators were warned that single-node upgrades require downtime because of database migrations, whereas multi-node deployments can follow standard zero-downtime upgrade procedures.
May 14, 2026
GitLab Fixes DoS, Code Injection, and Access Control Flaws in Self-Managed Instances
GitLab released security updates for Community Edition and Enterprise Edition in versions **18.10.3**, **18.9.5**, and **18.8.9**, patching multiple vulnerabilities that affect self-managed deployments and urging administrators to upgrade immediately. The fixes address high-severity issues including a websocket access control flaw, denial-of-service conditions, and unintended server-side command execution tied to vulnerabilities such as `CVE-2026-5173`, `CVE-2026-1092`, and `CVE-2025-12664`. The release also resolves medium- and low-severity weaknesses involving code injection, cross-site scripting, GraphQL-related denial of service, CSV import and export handling, authorization bypasses, and information disclosure affecting private projects, protected environments, and custom roles. GitLab said some affected code paths date back to versions as old as 11.3 and 12.10, while **GitLab.com** and **GitLab Dedicated** are already protected; the company added that the patches require no new migrations and can be applied to multi-node deployments without downtime, although Omnibus packages still restart services during updates.
Apr 24, 2026