Critical GitLab Flaws Allow XSS and Unauthenticated DoS Attacks
Key Takeaways GitLab has released urgent security updates for several critical vulnerabilities. The flaws include high-severity Cross-Site Scripting (XSS) and unauthenticated Denial-of-Service (DoS)...
Key Takeaways
- GitLab has released urgent security updates for several critical vulnerabilities.
- The flaws include high-severity Cross-Site Scripting (XSS) and unauthenticated Denial-of-Service (DoS) issues.
- Self-hosted GitLab Community Edition (CE) and Enterprise Edition (EE) instances are directly impacted.
- Successful exploitation could lead to session hijacking, sensitive data theft, or complete disruption of CI/CD pipelines.
- Immediate patching to versions 18.11.3, 18.10.6, or 18.9.7 is mandatory for affected systems.
A recent disclosure from GitLab has revealed a series of critical vulnerabilities that could significantly compromise self-hosted instances of the popular DevOps platform. These flaws, ranging from severe Cross-Site Scripting (XSS) to unauthenticated Denial-of-Service (DoS) attacks, present immediate and substantial risks to development pipelines and sensitive data.
Table Of Content
On May 13, 2026, GitLab issued emergency security patches to address these high-severity issues. The company emphasized the urgency of these updates, particularly for organizations managing their own GitLab deployments, as the vulnerabilities could enable attackers to take over user sessions or render critical CI/CD systems inoperable.
Critical XSS Vulnerabilities
Among the most concerning vulnerabilities are several Cross-Site Scripting (XSS) flaws, which carry a CVSS score of 8.7. These allow malicious actors to inject arbitrary JavaScript code into various parts of the GitLab interface. Specifically, CVE-2026-7481 and CVE-2026-5297 enable script injection within analytics dashboard chart renderings and global search fields, respectively. Another XSS vulnerability, CVE-2026-6073, affects Duo Agent output rendering.
When an authenticated user views a compromised page containing the injected script, it executes within their browser context. This grants attackers the ability to hijack user sessions, steal authentication tokens, or manipulate code repositories and other resources as if they were the legitimate user, posing a severe threat to the integrity and confidentiality of development operations.
Unauthenticated Denial-of-Service Flaws
Equally critical are multiple unauthenticated Denial-of-Service (DoS) vulnerabilities, each with a CVSS score of 7.5. These flaws, including CVE-2026-1659 and CVE-2025-14870, are particularly dangerous as they do not require any form of authentication for exploitation. An attacker can leverage these vulnerabilities by sending specially crafted payloads to specific API endpoints, such as the CI/CD job update API or the Duo Workflows API.
Successful exploitation of these DoS vulnerabilities, also including CVE-2025-14869 affecting internal API endpoints, can overwhelm the targeted system, leading to a complete paralysis of core GitLab functions. This disruption can halt a development team’s ability to push updates, deploy code, or manage essential internal workflows, severely impacting productivity and operational continuity.
Affected Versions and Remediation
GitLab’s cloud-hosted platforms have already received the necessary patches. However, organizations running self-managed Community Edition (CE) and Enterprise Edition (EE) servers are directly exposed and must take immediate action. The vendor has released updates for various versions, and administrators are urged to upgrade their systems to versions 18.11.3, 18.10.6, or 18.9.7 without delay.
While planning the emergency maintenance, administrators should be aware of potential deployment impacts. Single-node GitLab instances will experience mandatory downtime during the upgrade process due to critical database migrations. Conversely, multi-node environments can typically perform zero-downtime upgrades by adhering to standard deployment procedures.
A medium-severity vulnerability, CVE-2026-1322, concerning improper authorization in GraphQL token scope with a CVSS score of 6.8, was also addressed in this patch release.
What You Should Do
- Immediately Update: Prioritize upgrading all self-managed GitLab Community Edition (CE) and Enterprise Edition (EE) instances to the latest patched versions: 18.11.3, 18.10.6, or 18.9.7.
- Review Documentation: Consult the official GitLab patch release notes for specific instructions and any prerequisites for your environment.
- Plan for Downtime: If running a single-node instance, schedule necessary downtime to accommodate database migrations during the upgrade.
- Verify Multi-Node Procedures: For multi-node environments, follow established zero-downtime upgrade procedures carefully to ensure continuous operation.
- Monitor Systems: After patching, closely monitor GitLab instances for any unusual activity or performance issues.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.