GitLab Patches Critical Vulnerabilities Enabling DoS and Code Injection
Key Takeaways GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities. The patches resolve flaws...
Key Takeaways
- GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address multiple high-severity vulnerabilities.
- The patches resolve flaws that could lead to Denial-of-Service (DoS) attacks, arbitrary code injection, and information disclosure.
- Affected versions include 18.10.x, 18.9.x, and 18.8.x, with immediate upgrades to 18.10.3, 18.9.5, or 18.8.9 strongly recommended for self-managed instances.
- Users of GitLab.com and GitLab Dedicated are automatically protected as patches have been applied to cloud environments.
GitLab has issued an urgent security advisory, releasing crucial updates for its self-managed Community Edition (CE) and Enterprise Edition (EE) platforms. These patches are designed to mitigate several high-severity vulnerabilities that could enable Denial-of-Service (DoS) attacks and remote code injection.
Table Of Content
System administrators overseeing self-managed GitLab installations are strongly urged to apply the updates without delay to safeguard their systems from potential exploits. The patched versions, specifically 18.10.3, 18.9.5, and 18.8.9, are now available.
High-Impact Vulnerabilities Addressed
The latest security release targets three significant vulnerabilities categorized as high-severity, each posing distinct threats to the integrity and availability of GitLab environments.
- CVE-2026-5173 (CVSS 8.5): This critical flaw allows an authenticated attacker to execute arbitrary server-side commands. The vulnerability stems from inadequate access controls within WebSocket connections, enabling unauthorized command execution.
- CVE-2026-1092 (CVSS 7.5): An unauthenticated attacker could trigger a Denial-of-Service condition. This is possible by submitting malformed JSON data to the Terraform state lock API, leading to system instability or unavailability.
- CVE-2025-12664 (CVSS 7.5): Even without authentication, an attacker can initiate a DoS attack. This vulnerability permits overwhelming the server through repeated and excessive GraphQL queries, disrupting normal operations.
Medium-Severity Flaws Patched
In addition to the high-severity issues, GitLab has also addressed several medium-level vulnerabilities that could compromise user privacy and system stability. These include:
- CVE-2026-1516 (CVSS 5.7): An authenticated user could inject malicious code into Code Quality reports. This could secretly leak the IP addresses of other users who view the compromised report.
- CVE-2026-1403 (CVSS 6.5): Weak validation of CSV files during import operations could allow authenticated users to crash background Sidekiq workers, affecting system performance and reliability.
- CVE-2026-4332 (CVSS 5.4): Insufficient input filtering in analytics dashboards could enable attackers to execute harmful JavaScript code within the browsers of other users, leading to cross-site scripting (XSS) attacks.
- CVE-2026-1101 (CVSS 6.5): Poor input validation in GraphQL queries could permit an authenticated user to cause a Denial-of-Service condition for the entire GitLab instance.
Additional Security Enhancements
The comprehensive update package also incorporates several lower-severity patches, resolving issues related to data leaks and broken access controls within the platform.
- CVE-2026-2619 (CVSS 4.3): Incorrect authorization mechanisms allowed authenticated users with auditor privileges to modify vulnerability flag data within private projects, potentially altering security posture records.
- CVE-2025-9484 (CVSS 4.3): An information disclosure vulnerability enabled authenticated users to view other users’ email addresses by exploiting specific GraphQL queries.
- CVE-2026-1752 (CVSS 4.3): Improper access controls allowed developers to modify protected environment settings, potentially circumventing intended security policies.
- CVE-2026-2104 (CVSS 4.3): Insufficient authorization checks in CSV exports allowed users to access confidential issues assigned to others, leading to unauthorized data exposure.
- CVE-2026-4916 (CVSS 2.7): A missing authorization check allowed users with custom roles to demote or remove higher-privileged group members, disrupting organizational hierarchies and access controls.
GitLab explicitly underscores the critical need for all self-managed installations to be upgraded to versions 18.10.3, 18.9.5, or 18.8.9 as quickly as possible. These updates are designed to be minimally disruptive, with multi-node deployments capable of being upgraded without any system downtime, as they do not necessitate complex database changes.
Users operating on GitLab.com or utilizing GitLab Dedicated services are already safeguarded, as the company has proactively deployed these patches across its cloud infrastructure.
What You Should Do
- Upgrade Immediately: If you manage a self-hosted GitLab CE or EE instance, update to versions 18.10.3, 18.9.5, or 18.8.9 without delay.
- Review Release Notes: Consult the official GitLab release notes for detailed information on the patches and any specific considerations for your environment.
- Verify Patch Application: After upgrading, confirm that the patches have been successfully applied and your GitLab instance is running the secure versions.
- Monitor Systems: Continue to monitor your GitLab instances for any unusual activity or indicators of compromise.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.